Hi, assuming we’re talking about the same thing, the certificate thumbprint is a hash of the entire certificate and includes valid to/from dates so you will never get the same certificate thumbprint (it’s there so the OS can validate that it’s bound to the correct cert).
There are a few people using Octopus with Certify but I don’t know their individual workflows. If you check ‘Show advanced options’ you can add a script (powershell) to do whatever you need with the new certificate (and it’s new thumbprint), so in your case I’d suggest telling Octopus the new thumbprint to use.
The next major release of the app will have new extended deployment options including controlling how deployment (if any) happens outside of the renewal process, so you can renew regularly but only deploy when you want to. I’ll look at an option to preserve CSR private key between renewals but it doesn’t come up that often.