tag:help.appveyor.com,2012-11-13:/discussions/problems/32838-certificate-selectionAppVeyor: Discussion 2022-09-21T21:03:32Ztag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T13:38:55Z2022-07-21T13:38:55ZCertificate Selection<div><p>Hi Daniel,</p>
<p>There is more info about certificate field <a href="https://www.appveyor.com/docs/deployment/agent/#deploying-artifact-package-as-iis-web-site">here</a>:</p>
<blockquote>
<p><code>certificate</code> - Certificate associated with https binding. This value could be certificate name or thumbprint, for example <code>*.mydomain.com</code> or <code>0B2D18387549968CB4CC30F21D6CC4C0830B679B</code>.</p>
</blockquote></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T13:47:13Z2022-07-21T13:47:13ZCertificate Selection<div><p>Hi, thanks for the quick response, I wasn't expecting one this quick and was updating the question to include more detail... , I saw this and linked to it, unfortunately, it doesn't help. This is what we use to set which cert to pick up, we just want it to pick up the one that will last the longest rather than the first one that is found. Is that possible? Is it a feature request?</p></div>daniel.shoubridgetag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T13:51:23Z2022-07-21T13:51:23ZCertificate Selection<div><p>You could use certificate thumbprint if they have the same friendly name, no?</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T13:56:36Z2022-07-21T13:56:36ZCertificate Selection<div><p>we don't want to use the cert thumbprint as that would mean updating multiple projects/deployments and we have strict rules/processes around deployments which means they are now quick to do (lots of hoops to jump through)</p></div>daniel.shoubridgetag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T14:05:10Z2022-07-21T14:05:10ZCertificate Selection<div><p>OK, I see.</p>
<p>Looking into agent's code I see it does certificate lookup not only by "firendly name" and "thumbprint", but by "subject's simple name" as well. When you say "...both don't have a friendly name and both are for the same domain", so it could be finding by "simple name" then? If so, you could edit friendly name and use it for lookup, like <code>domaim.com-2021</code> and <code>domain.com-2022</code>.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T15:10:14Z2022-07-21T15:10:14ZCertificate Selection<div><p>So we came across this problem initially as we set the friendly name, but then it turns out this is the same as searching by thumbprint - would mean we need to update code for each project and we don't want to do that (though rotating friendly name might work, but these leads to other issues due to our processes and server access). So searching by simple name works well. Its just picking up the "wrong one". I assume you are picking up first or default or something like that in the appveyor code... is it possible to order the results by the expiry date on the cert so that the most recent valid one is pick up?</p>
<p>e.g. get the X509CertificateCollection by querying the X509CertificateStore, then search the certs in there by expiry date where the valid from date > now?</p></div>daniel.shoubridgetag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T16:07:01Z2022-07-21T16:07:01ZCertificate Selection<div><p>yeah, skipping expired certificates makes sense. We are going to fix that and release an update. Hold on.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/550750222022-07-21T16:16:59Z2022-07-21T16:16:59ZCertificate Selection<div><p>OK, here you are: <a href="https://appveyordownloads.blob.core.windows.net/deployment-agent/6.3.3+3241/AppveyorDeploymentAgent.msi">https://appveyordownloads.blob.core.windows.net/deployment-agent/6....</a> - this update (not yet public) skips expired certificates. Please give it a try and let me know how it worked.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/550750222022-07-22T08:37:03Z2022-07-22T08:37:03ZCertificate Selection<div><p>Thank you, we tested a deployment and this seems to have worked - instead of picking up the expired cert, it now picks up the new one. I didn't change anything other than installing the deployment agent you supplied and the behaviour has changed. So all good.</p></div>daniel.shoubridgetag:help.appveyor.com,2012-11-13:Comment/550750222022-07-22T15:16:51Z2022-07-22T15:16:51ZCertificate Selection<div><p>Cool, thanks for letting know!</p></div>Feodor Fitsner