From 4df0f6eaadb62f24a35841297610af7c5697e03b Mon Sep 17 00:00:00 2001
From: Farhan Alam <farhanalam@users.noreply.github.com>
Date: Thu, 9 Apr 2026 18:29:52 -0500
Subject: [PATCH 1/5] formatting

---
 step-templates/windows-certificate-grant-read-access.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/step-templates/windows-certificate-grant-read-access.json b/step-templates/windows-certificate-grant-read-access.json
index 0993bc093..5a2578744 100644
--- a/step-templates/windows-certificate-grant-read-access.json
+++ b/step-templates/windows-certificate-grant-read-access.json
@@ -5,7 +5,7 @@
   "ActionType": "Octopus.Script",
   "Version": 12,
   "Properties": {
-    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n    \r\n    Try\r\n    {\r\n        $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My |where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n        $TPrint = $WorkingCert.Thumbprint\r\n        $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n        if($TPrint){\r\n            Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n        }\r\n        else{\r\n            throw \"Error: unable to locate certificate for $($CertCN)\"\r\n        }\r\n    }\r\n    Catch\r\n    {\r\n      throw \"Error: unable to locate certificate for $($CertCN)\"\r\n    }\r\n    $keyPath = \"$env:SystemDrive\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\\"\r\n    $fullPath=$keyPath+$rsaFile\r\n    $acl=Get-Acl -Path $fullPath\r\n    $permission=$userName,\"Read\",\"Allow\"\r\n    $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission\r\n    $acl.AddAccessRule($accessRule)\r\n    Try \r\n    {\r\n        Write-Host \"Granting read access for user $userName on $certCN\"\r\n     Set-Acl $fullPath $acl\r\n      Write-Host \"Success: ACL set on certificate\"\r\n    }\r\n    Catch\r\n    {\r\n      throw \"Error: unable to set ACL on certificate\"\r\n    }",
+    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n    $TPrint = $WorkingCert.Thumbprint\r\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n    if($TPrint)\r\n    {\r\n        Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n    }\r\n    else\r\n    {\r\n        throw \"Error: unable to locate certificate for $($CertCN)\"\r\n    }\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$keyPath = \"$env:SystemDrive\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\\"\r\n$fullPath = $keyPath + $rsaFile\r\n$acl= Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n    Write-Host \"Granting read access for user $userName on $certCN\"\r\n    Set-Acl $fullPath $acl\r\n    Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
     "Octopus.Action.Script.Syntax": "PowerShell"
   },
   "SensitiveProperties": {},

From 6ed289278b6c096344d155c51b691a4d0ce96e3a Mon Sep 17 00:00:00 2001
From: Farhan Alam <farhanalam@users.noreply.github.com>
Date: Thu, 9 Apr 2026 18:30:55 -0500
Subject: [PATCH 2/5] Reduced nesting

---
 step-templates/windows-certificate-grant-read-access.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/step-templates/windows-certificate-grant-read-access.json b/step-templates/windows-certificate-grant-read-access.json
index 5a2578744..d0df9060b 100644
--- a/step-templates/windows-certificate-grant-read-access.json
+++ b/step-templates/windows-certificate-grant-read-access.json
@@ -5,7 +5,7 @@
   "ActionType": "Octopus.Script",
   "Version": 12,
   "Properties": {
-    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n    $TPrint = $WorkingCert.Thumbprint\r\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n    if($TPrint)\r\n    {\r\n        Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n    }\r\n    else\r\n    {\r\n        throw \"Error: unable to locate certificate for $($CertCN)\"\r\n    }\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$keyPath = \"$env:SystemDrive\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\\"\r\n$fullPath = $keyPath + $rsaFile\r\n$acl= Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n    Write-Host \"Granting read access for user $userName on $certCN\"\r\n    Set-Acl $fullPath $acl\r\n    Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
+    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$TPrint = $WorkingCert.Thumbprint\r\nif($TPrint)\r\n{\r\n    Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n}\r\nelse\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$keyPath = \"$env:SystemDrive\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\\"\r\n$fullPath = $keyPath + $rsaFile\r\n$acl= Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n    Write-Host \"Granting read access for user $userName on $certCN\"\r\n    Set-Acl $fullPath $acl\r\n    Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
     "Octopus.Action.Script.Syntax": "PowerShell"
   },
   "SensitiveProperties": {},

From 995908e2ab5444a78930c3c6f3608b60d4b8a94a Mon Sep 17 00:00:00 2001
From: Farhan Alam <farhanalam@users.noreply.github.com>
Date: Thu, 9 Apr 2026 18:53:23 -0500
Subject: [PATCH 3/5] Support Key Storage Provider

Keeping legacy CSP support in place
---
 step-templates/windows-certificate-grant-read-access.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/step-templates/windows-certificate-grant-read-access.json b/step-templates/windows-certificate-grant-read-access.json
index d0df9060b..7ae644b29 100644
--- a/step-templates/windows-certificate-grant-read-access.json
+++ b/step-templates/windows-certificate-grant-read-access.json
@@ -5,7 +5,7 @@
   "ActionType": "Octopus.Script",
   "Version": 12,
   "Properties": {
-    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$TPrint = $WorkingCert.Thumbprint\r\nif($TPrint)\r\n{\r\n    Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n}\r\nelse\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$keyPath = \"$env:SystemDrive\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\\"\r\n$fullPath = $keyPath + $rsaFile\r\n$acl= Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n    Write-Host \"Granting read access for user $userName on $certCN\"\r\n    Set-Acl $fullPath $acl\r\n    Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
+    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$TPrint = $WorkingCert.Thumbprint\r\nif($TPrint)\r\n{\r\n    Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n}\r\nelse\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($WorkingCert)\r\nif ($null -eq $key) {\r\n    throw \"Private key not found or unsupported algorithm (non-RSA).\"\r\n}\r\n\r\nif ($key -is [System.Security.Cryptography.CngKey] -or $key.GetType().Name -eq \"RSACng\") {\r\n    $rsaFile = $key.Key.UniqueName\r\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\Keys\\$rsaFile\"\r\n} else {\r\n    # Legacy CSP\r\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\RSA\\MachineKeys\\$rsaFile\"\r\n}\r\n\r\n$acl = Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n    Write-Host \"Granting read access for user $userName on $certCN\"\r\n    Set-Acl $fullPath $acl\r\n    Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
     "Octopus.Action.Script.Syntax": "PowerShell"
   },
   "SensitiveProperties": {},

From 59d231363b0a2eb353cc331fa71ed3869ec35bcf Mon Sep 17 00:00:00 2001
From: Farhan Alam <farhanalam@users.noreply.github.com>
Date: Thu, 9 Apr 2026 19:29:35 -0500
Subject: [PATCH 4/5] updated metadata

---
 step-templates/windows-certificate-grant-read-access.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/step-templates/windows-certificate-grant-read-access.json b/step-templates/windows-certificate-grant-read-access.json
index 7ae644b29..bdea8f298 100644
--- a/step-templates/windows-certificate-grant-read-access.json
+++ b/step-templates/windows-certificate-grant-read-access.json
@@ -3,7 +3,7 @@
   "Name": "Windows  - Certificate Grant Read Access",
   "Description": "Grant read access to certificate for a specific user",
   "ActionType": "Octopus.Script",
-  "Version": 12,
+  "Version": 13,
   "Properties": {
     "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$TPrint = $WorkingCert.Thumbprint\r\nif($TPrint)\r\n{\r\n    Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n}\r\nelse\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($WorkingCert)\r\nif ($null -eq $key) {\r\n    throw \"Private key not found or unsupported algorithm (non-RSA).\"\r\n}\r\n\r\nif ($key -is [System.Security.Cryptography.CngKey] -or $key.GetType().Name -eq \"RSACng\") {\r\n    $rsaFile = $key.Key.UniqueName\r\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\Keys\\$rsaFile\"\r\n} else {\r\n    # Legacy CSP\r\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\RSA\\MachineKeys\\$rsaFile\"\r\n}\r\n\r\n$acl = Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n    Write-Host \"Granting read access for user $userName on $certCN\"\r\n    Set-Acl $fullPath $acl\r\n    Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
     "Octopus.Action.Script.Syntax": "PowerShell"
@@ -30,7 +30,7 @@
     }
   ],
   "LastModifiedOn": "2015-01-30T14:37:16.927+00:00",
-  "LastModifiedBy": "ARBNIK@skandianet.org",
+  "LastModifiedBy": "farhanalam",
   "$Meta": {
     "ExportedAt": "2015-01-30T14:39:14.212+00:00",
     "OctopusVersion": "2.6.0.778",

From 38afc44884b27af795125f56012d2e36522f4a46 Mon Sep 17 00:00:00 2001
From: Farhan Alam <farhanalam@users.noreply.github.com>
Date: Thu, 16 Apr 2026 08:21:30 -0500
Subject: [PATCH 5/5] updated metadata

---
 step-templates/windows-certificate-grant-read-access.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/step-templates/windows-certificate-grant-read-access.json b/step-templates/windows-certificate-grant-read-access.json
index bdea8f298..3d84be563 100644
--- a/step-templates/windows-certificate-grant-read-access.json
+++ b/step-templates/windows-certificate-grant-read-access.json
@@ -29,11 +29,11 @@
       }
     }
   ],
-  "LastModifiedOn": "2015-01-30T14:37:16.927+00:00",
+  "LastModifiedOn": "2026-04-16T08:20:36.117-05:00",
   "LastModifiedBy": "farhanalam",
   "$Meta": {
-    "ExportedAt": "2015-01-30T14:39:14.212+00:00",
-    "OctopusVersion": "2.6.0.778",
+    "ExportedAt": "2026-04-16T13:19:49.359Z",
+    "OctopusVersion": "2026.1.11242",
     "Type": "ActionTemplate"
   },
   "Category": "windows"