Skip to content
fDeploy Documentation

Certificate Library

The certificate library (Library β†’ Certificates) is the central store of SSL/TLS certificates that deployment steps install on targets β€” most often to back IIS HTTPS bindings. Only users with the System Administrator role can add or modify entries in the library.

Adding certificates

Certificates can be added in three ways:

  • Upload file β€” accepts .pfx / .p12 (PKCS#12), .pem, .cer / .crt (DER). Provide the password for protected PKCS#12 files.
  • Paste text β€” PEM-encoded or base64-encoded certificate content pasted directly into the form. Provide the password if required.
  • Create self-signed β€” fDeploy generates a certificate from a Common Name. The elliptic curve is selectable (NIST P-384 default, or P-256). Useful for development and internal-only services; do not use self-signed certificates for anything clients outside your organisation will hit.

For every method, an optional Name and Description can be provided, and the certificate can be restricted to specific environments β€” an empty environment list makes the certificate available everywhere, and a non-empty list prevents its use outside the selected environments. Name falls back to the certificate subject if left blank.

Archive vs. delete

Certificates support soft-delete via Archive. An archived certificate is hidden from pickers but retained in the database and can be restored with Unarchive. Archived certificates already deployed on a target are not removed from the target β€” removal is a target-side operation fDeploy doesn’t perform.

Delete is permanent and cannot be undone. Prefer Archive for everyday lifecycle; reserve Delete for genuinely unwanted content (e.g. mistakenly uploaded private keys from another system).

Deployment behavior

During deployment, fDeploy Agent installs the selected certificate into the LocalMachine\My certificate store on each target machine so IIS can bind to it. If a certificate with the same thumbprint already exists on the target, installation is skipped (re-deployments are idempotent). The agent does not remove previously deployed certificates when a binding is reconfigured to use a different certificate β€” clean-up, if needed, must be done outside fDeploy.