Import Certificate for specific user can result in duplicate certificates in store

[MJRichardson]

To reproduce:

1. Use the Import Certificate step to import a certificate for a specified user
2. Execute code as the specified user which reads the certificate from the store using the X509Store class.
3. Repeat step 1

This should result in this code being executed in Calamari.

Instead, the certificate is again added to the store.

Reported by http://help.octopusdeploy.com/discussions/problems/55611

[MJRichardson]

Import Certificate for specific user can result in duplicate certificates in store

[MJRichardson]

This issue appears to occur when the certificate was initially imported not by Octopus (i.e. a user other than the user the Tentacle executes as).

The certificate file is written to different places, depending on the circumstances.

For example, it seems that when Octopus imports the certificate for another user (i.e. not the Tentacle) it writes the certificate to the user's registry.

HKEY_USERS
   UserName
      Software
         Microsoft
            SystemCertificates

Then, when accessing the certificate as that user, the certificate is moved to their roaming profile:

C:\Users\UserName\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates

At this point, importing the certificate again with Octopus may cause the problem; effectively two certificates in the store.

Unfortunately the Windows Crypto API (CAPI) code is not open-source. And I can't find any definitive documentation for the behaviour in situations like this.

Given we are relying on the Windows libraries, I'm not sure exactly how we would resolve this.

I have added a recommendation to our docs to allow Octopus to perform the initial import.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.