Certificate Selection

daniel.shoubridge's Avatar


21 Jul, 2022 01:31 PM

On a server, we have duplicate wildcard certificates, an old one and a new one for the same domain - there is overlap on the dates they are valid.

I don't know if something has changed, or it is just an issue on this server, but during deployment (to IIS) the older certificate is selected rather than the new one (I am sure this didn't happen last year when they where renewed). Both don't have a friendly name and both are for the same domain (wildcard) - if I delete the old one I would expect this problem to go away (but I don't want to do that just yet).

I had a look at the docs, but couldn't find an answer to the question of how appveyor decides which one to use when you have multiple certs: https://www.appveyor.com/docs/deployment/agent/#deploying-artifact-...

How does appveyor decide which cert to use for the binding (when based on cert name)? We don't want to remove the old cert straight away and don't want to have to manually set many sites/bindings to use the new cert.

Ideally, during deployment, AppVeyor should select the cert it finds (based on the cert name) that has an expiry date furthest in the future. Is this possible, if there a way to make this happen. Any further information that helps us understand this would be useful. thanks.

This is also a problem when the old certificate has expired. We don't have access to the server and can't clean up old certificates, so need to rely on the new cert being picked up. We don't want to use the thumbprint as this changes for the new cert and would cause more overhead (as the name of the cert doesn't change if the latest one is always picked up, it keeps processes much simpler, and problems less likely to occur).

  1. Support Staff 1 Posted by Feodor Fitsner on 21 Jul, 2022 01:38 PM

    Feodor Fitsner's Avatar

    Hi Daniel,

    There is more info about certificate field here:

    certificate - Certificate associated with https binding. This value could be certificate name or thumbprint, for example *.mydomain.com or 0B2D18387549968CB4CC30F21D6CC4C0830B679B.

  2. 2 Posted by daniel.shoubrid... on 21 Jul, 2022 01:47 PM

    daniel.shoubridge's Avatar

    Hi, thanks for the quick response, I wasn't expecting one this quick and was updating the question to include more detail... , I saw this and linked to it, unfortunately, it doesn't help. This is what we use to set which cert to pick up, we just want it to pick up the one that will last the longest rather than the first one that is found. Is that possible? Is it a feature request?

  3. Support Staff 3 Posted by Feodor Fitsner on 21 Jul, 2022 01:51 PM

    Feodor Fitsner's Avatar

    You could use certificate thumbprint if they have the same friendly name, no?

  4. 4 Posted by daniel.shoubrid... on 21 Jul, 2022 01:56 PM

    daniel.shoubridge's Avatar

    we don't want to use the cert thumbprint as that would mean updating multiple projects/deployments and we have strict rules/processes around deployments which means they are now quick to do (lots of hoops to jump through)

  5. Support Staff 5 Posted by Feodor Fitsner on 21 Jul, 2022 02:05 PM

    Feodor Fitsner's Avatar

    OK, I see.

    Looking into agent's code I see it does certificate lookup not only by "firendly name" and "thumbprint", but by "subject's simple name" as well. When you say "...both don't have a friendly name and both are for the same domain", so it could be finding by "simple name" then? If so, you could edit friendly name and use it for lookup, like domaim.com-2021 and domain.com-2022.

  6. 6 Posted by daniel.shoubrid... on 21 Jul, 2022 03:10 PM

    daniel.shoubridge's Avatar

    So we came across this problem initially as we set the friendly name, but then it turns out this is the same as searching by thumbprint - would mean we need to update code for each project and we don't want to do that (though rotating friendly name might work, but these leads to other issues due to our processes and server access). So searching by simple name works well. Its just picking up the "wrong one". I assume you are picking up first or default or something like that in the appveyor code... is it possible to order the results by the expiry date on the cert so that the most recent valid one is pick up?

    e.g. get the X509CertificateCollection by querying the X509CertificateStore, then search the certs in there by expiry date where the valid from date > now?

  7. Support Staff 7 Posted by Feodor Fitsner on 21 Jul, 2022 04:07 PM

    Feodor Fitsner's Avatar

    yeah, skipping expired certificates makes sense. We are going to fix that and release an update. Hold on.

  8. Support Staff 8 Posted by Feodor Fitsner on 21 Jul, 2022 04:16 PM

    Feodor Fitsner's Avatar

    OK, here you are: https://appveyordownloads.blob.core.windows.net/deployment-agent/6.... - this update (not yet public) skips expired certificates. Please give it a try and let me know how it worked.

  9. 9 Posted by daniel.shoubrid... on 22 Jul, 2022 08:37 AM

    daniel.shoubridge's Avatar

    Thank you, we tested a deployment and this seems to have worked - instead of picking up the expired cert, it now picks up the new one. I didn't change anything other than installing the deployment agent you supplied and the behaviour has changed. So all good.

  10. Support Staff 10 Posted by Feodor Fitsner on 22 Jul, 2022 03:16 PM

    Feodor Fitsner's Avatar

    Cool, thanks for letting know!

  11. Feodor Fitsner closed this discussion on 21 Sep, 2022 09:03 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac