Installing private key agents

The private key agent is distributed as a Windows Installer package, Linux self-extracting installer, and Linux native packages.

Installation package Description

Windows Installer

The Windows Installer package is a self-contained executable that has no external dependencies.

The installer performs an integrity check before extracting.

Linux self-extracting installer

The Linux self-extracting installer is a self-contained executable that has no external dependencies.

The installer performs an integrity check before extracting.

Linux native packages (DEB/RPM)

The Linux native packages use Linux package managers such as APT/YUM to pull the packages from Sectigo during installation.

The DEB metadata and RPM package are digitally signed by Sectigo using GPG.

Installation requirements

To install a private key agent, the following requirements must be satisfied:

  • Windows

  • Linux

To install a private key agent on Windows, the following requirements must be satisfied:

  • Local administrator rights

  • Windows OS

    • Windows 2008 or later

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

    • Inbound TCP port 9091

  • Key storage:

    • Local storage: No additional requirements

    • Azure Key Vault:

    • HashiCorp Vault:

      • An active HashiCorp Vault instance

      • Transit secrets engine enabled

        For more information, see Transit secrets engine.
      • Access token or AppRole RoleId and SecretId with permission on the transit secrets API

To install a private key agent on Linux, the following requirements must be satisfied:

  • sudo permissions

  • Linux OS:

    • CentOS 7.x, Stream 8, Stream 9

    • RHEL 7.x, 8.x, 9.x

    • Debian 10, 11

    • Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

    • Inbound TCP port 9091

  • Key storage:

    • Local storage: No additional requirements

    • Azure Key Vault:

    • HashiCorp Vault:

      • An active HashiCorp Vault instance

      • Transit secrets engine enabled

        For more information, see Transit secrets engine.
      • Access token or AppRole RoleId and SecretId with permission on the transit secrets API

Add a private key agent to SCM

  1. Navigate to Integrations  Private Key Agent and click the Add icon.

    SCM currently only supports one private key agent at a time. Adding a new private key agent will remove any existing one from SCM.
    Add Private Key Agent

    The agent should now be listed on the Private Key Agent page with a status of Pending.

  2. Copy the installation token for use during installation.

    Private Key Agent Installation Token
  3. Download the agent with the Windows or Linux Self-Extracting installation package link.

    Linux native installation packages (DEB/RPM) are downloaded through the CLI as part of the installation process.

Install a private key agent

  • Windows

  • Windows ( CLI )

  • Linux Self-Extracting

  • Linux APT ( DEB )

  • Linux YUM ( RPM )

The Windows installer has limited configuration options. Additional configuration options are available when installing the private key agent through the Windows CLI.
  1. Run the executable.

  2. Read the EULA, select I agree to the license terms and conditions, and click Install.

  3. Click Next.

  4. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  5. (Optional) Specify an installation location.

  6. Click Next, and paste the agent installation token.

    If needed, you can retrieve the installation token from the Integrations  Private Key Agent page. This token is no longer available once the agent connects to SCM for the first time.
  7. Click Next.

  8. (Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.

    Field Description

    Proxy URL

    The hostname or IP address and port number used by your proxy server.

    • Host only — host

    • Host and port — host:port

    Proxy User

    The username for accessing the proxy server if configured to use credentials.

    Proxy Password

    The password for accessing the proxy server if configured to use credentials.

  9. Click Next.

  10. Select and configure key storage based on the information provided in the following table.

    Provider Steps

    Local

    1. Select Local.

    2. Click Next.

    Azure Key Vault

    1. Select Azure Key Vault.

    2. Click Next.

    3. Provide the following:

      • Azure Vault Name — The unique name used for your Azure Key Vault.

      • Azure Tenant ID — The unique 32-character GUID that represents your organization in Azure AD.

      • Azure Client ID — The unique 32-character GUID that represents your application in Azure AD.

      • Azure Client Secret — The secure key or password associated with your application’s Client ID.

    4. Click Next.

    HashiCorp Vault

    1. Select HashiCorp Vault.

    2. Click Next.

    3. Provide the following:

      • Vault URL — The address where your HashiCorp Vault server is running.

      • Transit API path — The specific endpoint within Vault where you can interact with the Transit secret engine.

      • Vault Access Token — The authentication token used for accessing HashiCorp Vault.

    4. Click Next.

  11. Click Next, Next, Install, Finish, and then Close.

The agent should now be listed on the Private Key Agent page with a status of Connected.

For Windows, the private key agent logs are stored in %PROGRAMDATA%\Sectigo\PK Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\PK Agent\conf.
  1. Open the Windows command prompt.

  2. In the command line, navigate to the download location of the executable.

  3. Modify the installation command as needed.

    .\Sectigo_Pk_Agent.exe /i /q PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=

    Options without an included value are ignored.

    The command options are outlined in the following table.

    Option Description

    /i

    Initiates installation of the agent through the executable.

    /q

    Runs the installation in silent mode so no interaction is required.

    PROPERTY_TOKEN

    The mandatory installation token.

    PROPERTY_USE_PROXY

    Indicates whether you are using a proxy server.

    • 1 (Yes)

    • Empty (No)

    PROPERTY_PROXY_URL

    The hostname or IP address and port number used by your proxy server.

    • Host only — host

    • Host and port — host:port

    PROPERTY_PROXY_USER

    The username for accessing the proxy server if configured to use credentials.

    PROPERTY_PROXY_PASSWORD

    The password for accessing the proxy server if configured to use credentials.

    If needed, you can retrieve the installation token from the Integrations  Private Key Agent page. This token is no longer available once the agent connects to SCM for the first time.
  4. Run the modified installation command.

  5. Configure key storage.

    1. Run the private key agent configuration utility.

      pkagent.exe config interactive
    2. Skip providing the installation token.

    3. Skip changing proxy settings.

    4. Enter y to update key storage provider.

    5. Specify which key storage provider you want to use.

    6. Complete the key storage configuration based on the information provided in the following table.

      Parameter Description

      Azure Key Vault

      Azure Vault Name

      The unique name used for your Azure Key Vault.

      Azure Tenant ID

      The unique 32-character GUID that represents your organization in Azure AD.

      Azure Client ID

      The unique 32-character GUID that represents your application in Azure AD.

      Azure Client Secret

      The secure key or password associated with your application’s Client ID.

      Local Storage

      Path on disk to store keys

      The location where you want to store the encrypted file.

      Password to encrypt the keys on disk

      A password to secure the encrypted file.

      HashiCorp Vault

      Vault URL

      The address where your HashiCorp Vault server is running.

      Transit API path

      The specific endpoint within Vault where you can interact with the Transit secret engine.

      Vault Access Token

      The authentication token used for accessing HashiCorp Vault.

      AppRole ID

      The authentication ID used for accessing HashiCorp Vault.

      AppRole Secret

      The secure key or password associated with your AppRole ID.

  6. Choose the download file name convention.

    The command options are outlined in the following table.

    Option Description

    cert_{ID}.ext

    The file will be saved with the ID of the certificate.

    \{common name}.ext

    The file will be saved with the common name of the certificate.

    {subject}.ext

    The file will be saved with the subject of the certificate.

The agent should now be listed on the Private Key Agent page with a status of Connected.

For Windows, the private key agent logs are stored in %PROGRAMDATA%\Sectigo\PK Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\PK Agent\conf.
  1. Give execute permission to the installer binary.

    chmod +x sectigo-pk-agent.bin
  2. Run the installer.

    sudo ./sectigo-pk-agent.bin
  3. Accept the EULA.

  4. When prompted, paste the agent installation token.

    If needed, you can retrieve the installation token from the Integrations  Private Key Agent page. This token is no longer available once the agent connects to SCM for the first time.
  5. Configure proxy settings.

    1. Specify whether you want to use proxy settings.

    2. Complete proxy configuration based on the information provided in the following table.

      Parameter Description

      Please enter proxy URL

      The hostname or IP address and port number used by your proxy server.

      • Host only — host

      • Host and port — host:port

      Please enter username to authenticate to proxy

      The username for accessing the proxy server if configured to use credentials.

      Please enter password to authenticate to proxy

      The password for accessing the proxy server if configured to use credentials.

  6. Configure key storage.

    1. Specify which key storage provider you want to use.

    2. Complete the key storage configuration based on the information provided in the following table.

      Parameter Description

      Azure Key Vault

      Azure Vault Name

      The unique name used for your Azure Key Vault.

      Azure Tenant ID

      The unique 32-character GUID that represents your organization in Azure AD.

      Azure Client ID

      The unique 32-character GUID that represents your application in Azure AD.

      Azure Client Secret

      The secure key or password associated with your application’s Client ID.

      Local Storage

      Path on disk to store keys

      The location where you want to store the encrypted file.

      Password to encrypt the keys on disk

      A password to secure the encrypted file.

      HashiCorp Vault

      Vault URL

      The address where your HashiCorp Vault server is running.

      Transit API path

      The specific endpoint within Vault where you can interact with the Transit secret engine.

      Vault Access Token

      The authentication token used for accessing HashiCorp Vault.

      AppRole ID

      The authentication AppRole ID used for accessing HashiCorp Vault.

      AppRole Secret

      The secure key or password associated with your AppRole ID.

  7. Choose the download file name convention.

    The command options are outlined in the following table.

    Option Description

    cert_{ID}.ext

    The file will be saved with the ID of the certificate.

    \{common name}.ext

    The file will be saved with the common name of the certificate.

    {subject}.ext

    The file will be saved with the subject of the certificate.

The agent should now be listed on the Private Key Agent page with a status of Connected.

For Linux, the private key agent logs are stored in /var/opt/sectigo-pk-agent/logs and the configuration files are stored in /var/opt/sectigo-pk-agent/conf.
  1. Add the GPG key to your system.

    curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg
  2. Verify the GPG key.

    gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg

    The GPG key fingerprint should match the following:

    FCB9 DC04 DE50 2CBA 0F39 BFAF BFB4 716B 93A8 397B

  3. Add the repository.

    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null
  4. Update the local package index.

    sudo apt-get update
  5. Install the private key agent.

    sudo apt-get install sectigo-pk-agent
  6. Configure the private key agent.

    sudo /opt/sectigo-pk-agent/bin/pkagent config interactive
  7. When prompted, paste the agent installation token.

    If needed, you can retrieve the installation token from the Integrations  Private Key Agent page. This token is no longer available once the agent connects to SCM for the first time.
  8. Configure proxy settings.

    1. Specify whether you want to use proxy settings.

    2. Complete proxy configuration based on the information provided in the following table.

      Parameter Description

      Please enter proxy URL

      The hostname or IP address and port number used by your proxy server.

      • Host only — host

      • Host and port — host:port

      Please enter username to authenticate to proxy

      The username for accessing the proxy server if configured to use credentials.

      Please enter password to authenticate to proxy

      The password for accessing the proxy server if configured to use credentials.

  9. Configure key storage.

    1. Specify which key storage provider you want to use.

    2. Complete the key storage configuration based on the information provided in the following table.

      Parameter Description

      Azure Key Vault

      Azure Vault Name

      The unique name used for your Azure Key Vault.

      Azure Tenant ID

      The unique 32-character GUID that represents your organization in Azure AD.

      Azure Client ID

      The unique 32-character GUID that represents your application in Azure AD.

      Azure Client Secret

      The secure key or password associated with your application’s Client ID.

      Local Storage

      Path on disk to store keys

      The location where you want to store the encrypted file.

      Password to encrypt the keys on disk

      A password to secure the encrypted file.

      HashiCorp Vault

      Vault URL

      The address where your HashiCorp Vault server is running.

      Transit API path

      The specific endpoint within Vault where you can interact with the Transit secret engine.

      Vault Access Token

      The authentication token used for accessing HashiCorp Vault.

      AppRole ID

      The authentication ID used for accessing HashiCorp Vault.

      AppRole Secret

      The secure key or password associated with your AppRole ID.

  10. Choose the download file name convention.

    The command options are outlined in the following table.

    Option Description

    cert_{ID}.ext

    The file will be saved with the ID of the certificate.

    \{common name}.ext

    The file will be saved with the common name of the certificate.

    {subject}.ext

    The file will be saved with the subject of the certificate.

  11. Start the private key agent service.

    • SysVinit Linux:

      sudo service sectigo-pk-agent start
    • systemd Linux:

      sudo systemctl start sectigo-pk-agent

The agent should now be listed on the Private Key Agent page with a status of Connected.

For Linux, the private key agent logs are stored in /var/opt/sectigo-pk-agent/logs and the configuration files are stored in /var/opt/sectigo-pk-agent/conf.
  1. Add the repository.

    sudo yum-config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-pk-agent.repo
  2. Install the private key agent.

    sudo yum install sectigo-pk-agent

    When prompted to accept the GPG key, confirm the fingerprint matches the following:

    0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659

  3. Configure the private key agent.

    sudo /opt/sectigo-pk-agent/bin/pkagent config interactive
  4. When prompted, paste the agent installation token.

  5. Configure proxy settings.

    1. Specify whether you want to use proxy settings.

    2. Complete proxy configuration based on the information provided in the following table.

      Parameter Description

      Please enter proxy URL

      The hostname or IP address and port number used by your proxy server.

      • Host only — host

      • Host and port — host:port

      Please enter username to authenticate to proxy

      The username for accessing the proxy server if configured to use credentials.

      Please enter password to authenticate to proxy

      The password for accessing the proxy server if configured to use credentials.

  6. Configure key storage.

    1. Specify which key storage provider you want to use.

    2. Complete the key storage configuration based on the information provided in the following table.

      Parameter Description

      Azure Key Vault

      Azure Vault Name

      The unique name used for your Azure Key Vault.

      Azure Tenant ID

      The unique 32-character GUID that represents your organization in Azure AD.

      Azure Client ID

      The unique 32-character GUID that represents your application in Azure AD.

      Azure Client Secret

      The secure key or password associated with your application’s Client ID.

      Local Storage

      Path on disk to store keys

      The location where you want to store the encrypted file.

      Password to encrypt the keys on disk

      A password to secure the encrypted file.

      HashiCorp Vault

      Vault URL

      The address where your HashiCorp Vault server is running.

      Transit API path

      The specific endpoint within Vault where you can interact with the Transit secret engine.

      Vault Access Token

      The authentication token used for accessing HashiCorp Vault.

      AppRole ID

      The authentication ID used for accessing HashiCorp Vault.

      AppRole Secret

      The secure key or password associated with your AppRole ID.

  7. Choose the download file name convention.

    The command options are outlined in the following table.

    Option Description

    cert_{ID}.ext

    The file will be saved with the ID of the certificate.

    \{common name}.ext

    The file will be saved with the common name of the certificate.

    {subject}.ext

    The file will be saved with the subject of the certificate.

  8. Start the private key agent service.

    • SysVinit Linux:

      sudo service sectigo-pk-agent start
    • systemd Linux:

      sudo systemctl start sectigo-pk-agent

The agent should now be listed on the Private Key Agent page with a status of Connected.

For Linux, the private key agent logs are stored in /var/opt/sectigo-pk-agent/logs and the configuration files are stored in /var/opt/sectigo-pk-agent/conf.

Updating private key agents

Update to a new agent version

Because of incompatibility between private key agent version 2.0 and earlier versions, updating from earlier versions requires a new installation. In order to ensure a seamless transition to the new agent, it is suggested that you do the following:

  1. Back up your private keys.

  2. Uninstall the private key agent.

  3. Install the new private key agent.

  4. In SCM, navigate to the Private Key Agent page and verify that the agent is connected and showing the correct version.

  5. Restore your private keys.

Update proxy server details

  • Windows ( CLI )

  • Linux APT ( DEB )

  • Linux YUM ( RPM )

To update the proxy server information for your existing private key agent, do the following:

  1. In a terminal, navigate to the private key agent install location.

  2. Run the private key agent configuration utility.

    pkagent.exe config interactive
  3. Skip providing the installation token.

  4. Configure proxy settings.

    1. Specify whether you want to use proxy settings.

    2. Complete proxy configuration based on the information provided in the following table.

      Parameter Description

      Please enter proxy URL

      The hostname or IP address and port number used by your proxy server.

      • Host only — host

      • Host and port — host:port

      Please enter username to authenticate to proxy

      The username for accessing the proxy server if configured to use credentials.

      Please enter password to authenticate to proxy

      The password for accessing the proxy server if configured to use credentials.

  5. Skip changing the key storage provider.

  6. Restart the private key agent.

    sc stop SectigoPkAgent
    sc start SectigoPkAgent

To update the proxy server information for your existing private key agent, do the following:

  1. In a terminal, navigate to the private key agent install location.

  2. Run the private key agent configuration utility.

    sudo pkagent config interactive
  3. Skip providing the installation token.

  4. Configure proxy settings.

    1. Specify whether you want to use proxy settings.

    2. Complete proxy configuration based on the information provided in the following table.

      Parameter Description

      Please enter proxy URL

      The hostname or IP address and port number used by your proxy server.

      • Host only — host

      • Host and port — host:port

      Please enter username to authenticate to proxy

      The username for accessing the proxy server if configured to use credentials.

      Please enter password to authenticate to proxy

      The password for accessing the proxy server if configured to use credentials.

  5. Skip changing the key storage provider.

  6. Restart the private key agent service.

    • SysVinit Linux:

      sudo service sectigo-pk-agent restart
    • systemd Linux:

      sudo systemctl restart sectigo-pk-agent

To update the proxy server information for your existing private key agent, do the following:

  1. In a terminal, navigate to the private key agent install location.

  2. Run the private key agent configuration utility.

    sudo pkagent config interactive
  3. Skip providing the installation token.

  4. Configure proxy settings.

    1. Specify whether you want to use proxy settings.

    2. Complete proxy configuration based on the information provided in the following table.

      Parameter Description

      Please enter proxy URL

      The hostname or IP address and port number used by your proxy server.

      • Host only — host

      • Host and port — host:port

      Please enter username to authenticate to proxy

      The username for accessing the proxy server if configured to use credentials.

      Please enter password to authenticate to proxy

      The password for accessing the proxy server if configured to use credentials.

  5. Skip providing the installation token.

  6. Restart the private key agent service.

    • SysVinit Linux:

      sudo service sectigo-pk-agent restart
    • systemd Linux:

      sudo systemctl restart sectigo-pk-agent

Configure a local SSL certificate replacement

The private key agent hosts the SSL endpoint to download private key files using a fixed certificate included in the installer. Alternatively, you can configure the private key agent to utilize your own SSL certificate to secure the certificate download site. As long as the certificate remains valid, this will prevent any SSL warnings when downloading private keys.

  • Windows ( CLI )

  • Linux

  1. In a terminal, navigate to the private key agent install location.

  2. Update the private key agent configuration.

    pkagent.exe config --cert_path <pathToCertificate> --cert_file_password <certificatePassword>

    The command options are outlined in the following table.

    Option Description

    cert_path

    The path to the .p12, .jks, or .pem (CERTIFICATE block, and PRIVATE KEY or ENCRYPTED PRIVATE KEY) certificate to be used in securing private key agent certificate downloads.

    cert_file_password

    The password for the certificate.

  3. Restart the private key agent.

    sc stop SectigoPkAgent
    sc start SectigoPkAgent
  1. In a terminal, navigate to the private key agent install location.

  2. Update the private key agent configuration.

    sudo pkagent config --cert_path <pathToCertificate> --cert_file_password <certificatePassword>

    The command options are outlined in the following table.

    Option Description

    cert_path

    The path to the .p12, .jks, or .pem (CERTIFICATE block, and PRIVATE KEY or ENCRYPTED PRIVATE KEY) certificate to be used in securing private key agent certificate downloads.

    cert_file_password

    The password for the certificate.

  3. Restart the private key agent service.

    • SysVinit Linux:

      sudo service sectigo-pk-agent restart
    • systemd Linux:

      sudo systemctl restart sectigo-pk-agent

Update certificate download naming convention

You can update the agent’s file naming convention for certificate downloads.

  • Windows ( CLI )

  • Linux

  1. In a terminal, navigate to the private key agent install location.

  2. Update the agent’s file naming convention for certificate downloads.

    pkagent config --download_file_name <formatValue>

    The command format values are outlined in the following table.

    Value Description

    cert_{ID}.ext

    The file will be saved with the ID of the certificate.

    \{common name}.ext

    The file will be saved with the common name of the certificate.

    {subject}.ext

    The file will be saved with the subject of the certificate.

  3. Restart the private key agent.

    sc stop SectigoPkAgent
    sc start SectigoPkAgent
  1. In a terminal, navigate to the private key agent install location.

  2. Update the agent’s file naming convention for certificate downloads.

    pkagent config --download_file_name <formatValue>

    The command format values are outlined in the following table.

    Value Description

    cert_{ID}.ext

    The file will be saved with the ID of the certificate.

    \{common name}.ext

    The file will be saved with the common name of the certificate.

    {subject}.ext

    The file will be saved with the subject of the certificate.

  3. Restart the private key agent service.

    • SysVinit Linux:

      sudo service sectigo-pk-agent restart
    • systemd Linux:

      sudo systemctl restart sectigo-pk-agent

Uninstall a private key agent

  • Windows

  • Linux Self-Extracting

  • Linux APT ( DEB )

  • Linux YUM ( RPM )

  1. Navigate to Settings  Apps & features.

  2. Search for Sectigo Private Key Agent.

  3. Select the Sectigo Private Key Agent and click Uninstall.

  4. Click Uninstall.

  5. Click Uninstall.

  6. Click Close.

  7. (Optional) Delete the files and logs associated with the private key agent.

    1. Navigate to C:\ProgramData\Sectigo.

    2. Delete the PK Agent folder.

      This cannot be undone. When using Local key storage, you must back up or export your keys before deleting this file to prevent losing your private keys. Only delete this folder if you want to completely remove all files and logs related to the agent.
  1. Stop the private key agent service.

    sudo service sectigo-pk-agent stop
  2. Navigate to the /etc/init.d directory.

  3. Delete the sectigo-pk-agent directory.

  4. Delete the private key agent installation files.

    1. Navigate to the /opt directory.

    2. Delete the sectigo-pk-agent directory.

  5. (Optional) Delete the files and logs associated with the private key agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-pk-agent directory.

      This cannot be undone. When using Local key storage, you must back up or export your keys before deleting this directory to prevent losing your private keys. Only delete this directory if you want to completely remove all files and logs related to the agent.
  1. Remove the private key agent.

    sudo apt remove sectigo-pk-agent
  2. (Optional) Delete the files and logs associated with the private key agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-pk-agent directory.

      This cannot be undone. When using Local key storage, you must back up or export your keys before deleting this directory to prevent losing your private keys. Only delete this directory if you want to completely remove all files and logs related to the agent.
  1. Remove the private key agent.

    sudo yum remove sectigo-pk-agent
  2. (Optional) Delete the files and logs associated with the private key agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-pk-agent directory.

      This cannot be undone. When using Local key storage, you must back up or export your keys before deleting this directory to prevent losing your private keys. Only delete this directory if you want to completely remove all files and logs related to the agent.

Private key agent service commands

  • Windows

  • Linux ( SysVinit )

  • Linux ( systemd )

Command Description

Start

Start a private key agent:

sc start SectigoPkAgent

Stop

Stop a private key agent:

sc stop SectigoPkAgent

Query

Query the status of a private key agent:

sc query SectigoPkAgent
Command Description

Start

Start a private key agent:

sudo service sectigo-pk-agent start

Stop

Stop a private key agent:

sudo service sectigo-pk-agent stop

Restart

Restart a private agent:

sudo service sectigo-pk-agent restart

Status

Query the status of a private key agent:

sudo service sectigo-pk-agent status
Command Description

Start

Start a private key agent:

sudo systemctl start sectigo-pk-agent

Stop

Stop a private key agent:

sudo systemctl stop sectigo-pk-agent

Restart

Restart a private key agent:

sudo systemctl restart sectigo-pk-agent

Status

Query the status of a private key agent:

sudo systemctl status sectigo-pk-agent