Installing network agents

The network agent is distributed as a Windows Installer package, Linux self-extracting installer, Linux native packages, and Docker container.

Installation package Description Auto-update

Windows Installer

The Windows Installer package utilizes a small bootstrap application that dynamically pulls the packages from Sectigo during installation.

The bootstrap application and all Windows Installer package files (MSI) are digitally signed by Sectigo.

Yes

Linux self-extracting installer

The Linux self-extracting installer is a self-contained executable that has no external dependencies.

The installer performs an integrity check before extracting.

Yes

Linux native packages (DEB/RPM)

The Linux native packages use Linux package managers such as APT/DNF to pull the packages from Sectigo during installation.

The DEB metadata and RPM package are digitally signed by Sectigo using GPG.

No

Docker container

The Docker container offers a portable, self-contained deployment without manual installation.

No

Installation requirements

Network agents require a number of platform-dependent permissions in order to be installed and to perform SSL certificate discovery and automatic installation.

  • Windows

  • Linux

  • Docker

To install a network agent on Windows, the following requirements must be satisfied:

  • Local administrator rights

  • Windows Server:

    • 2016 (Standard, Datacenter)

    • 2019 (Standard, Datacenter)

    • 2022 (Standard, Datacenter)

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Network access:

    If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible.
    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

    • Certificate discovery: TCP port 443 or any port that serves up an SSL website

    • Node discovery & auto installation: In addition to the general access requirements, specific ports are required based on the network agent’s connection type. The following are the default ports required for each connection type:

      • Local — N/A

      • Local (Legacy) — N/A

      • Remote (WinRM) — TCP port 5985

      • Remote (SSH) — TCP port 22

      • Remote (Legacy) — TCP ports 135 and 445

      • Remote (REST) — TCP port 443

    • If applicable, your credential store must be accessible from the network agent machine.

  • (Optional) Credential store:

    • Local credential store: No additional requirements

    • HashiCorp Vault:

      • An active HashiCorp Vault instance

      • Access token or AppRole RoleId and SecretId with permission to read the required secrets

      • Remote server authentication credentials are stored in the HashiCorp Vault secrets engine

      • Secrets must be added as key/value pairs using the following keys:

        • username — The username for the remote server.

        • password — The password for the remote server. This cannot be included in a secret containing a private_key_path.

        • private_key_path — The path to the private key file for the remote server. This cannot be included in a secret containing a password.

        • pass_phrase — The passphrase for the private key file if one is configured.

    • CyberArk Vault:

      • An active CyberArk Vault instance

      • A CyberArk Central Credential Provider instance connecting to the CyberArk Vault

      • (Certificate authentication only) A client private key and its certificate in .p12 format

      • An Application ID representing the network agent with permission to retrieve credentials

      • Remote server authentication credentials are stored in CyberArk Vault

    • Delinea Secret Server:

      • An active Delinea Secret Server instance

      • A user account with permission to read required secrets

      • Remote server login credentials are stored in Delinea Secret Server

To install a network agent on Linux, the following requirements must be satisfied:

  • sudo permissions

  • Linux OS:

    • CentOS Stream 8, Stream 9

    • RHEL 8.x, 9.x

    • Debian 11, 12

    • Ubuntu 18.04, 20.04, 22.04

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Network access:

    If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible. Additionally, the ephemeral port range for local connections may vary depending on your linux distribution.
    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

    • Certificate discovery: TCP port 443 or any port that serves up an SSL website

    • Node discovery & auto installation: In addition to the general access requirements, specific ports are required based on the network agent’s connection type. The following are the default ports required for each connection type:

      • Local — N/A

      • Remote (WinRM) — TCP port 5985

      • Remote (SSH) — TCP port 22

      • Remote (REST) — TCP port 443

    • If applicable, your credential store must be accessible from the network agent machine.

  • (Optional) Credential store:

    • Local credential store: No additional requirements

    • HashiCorp Vault:

      • An active HashiCorp Vault instance

      • Access token or AppRole RoleId and SecretId with permission to read the required secrets

      • Remote server authentication credentials are stored in the HashiCorp Vault secrets engine

    • CyberArk Vault:

      • An active CyberArk Vault instance

      • A CyberArk Central Credential Provider instance connecting to the CyberArk Vault

      • (Certificate authentication only) A client private key and its certificate in .p12 format

      • An Application ID representing the network agent with permission to retrieve credentials

      • Remote server authentication credentials are stored in CyberArk Vault

    • Delinea Secret Server:

      • An active Delinea Secret Server instance

      • A user account with permission to read required secrets

      • Remote server authentication credentials are stored in Delinea Secret Server

To run a network agent on Docker, the following requirement must be satisfied:

  • Docker engine installed

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Network access:

    If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible.
    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

    • Certificate discovery: TCP port 443 or any port that serves up an SSL website

    • If applicable, your credential store must be accessible from the network agent machine.

  • (Optional) Credential store:

    • Local credential store: No additional requirements

    • HashiCorp Vault:

      • An active HashiCorp Vault instance

      • Access token or AppRole RoleId and SecretId with permission to read the required secrets

      • Remote server authentication credentials are stored in the HashiCorp Vault secrets engine

    • CyberArk Vault:

      • An active CyberArk Vault instance

      • A CyberArk Central Credential Provider instance connecting to the CyberArk Vault

      • (Certificate authentication only) A client private key and its certificate in .p12 format

      • An Application ID representing the network agent with permission to retrieve credentials

      • Remote server authentication credentials are stored in CyberArk Vault

    • Delinea Secret Server:

      • An active Delinea Secret Server instance

      • A user account with permission to read required secrets

      • Remote server authentication credentials are stored in Delinea Secret Server

Add a network agent to SCM

  1. Navigate to Integrations  Network Agents and click the Add icon.

  2. In the Add Network Agent dialog, provide a name to help identify the agent.

  3. Select the organization and department under which to place the agent.

  4. Click Next.

  5. Copy the installation token for use during installation.

  6. Download the agent with the Windows or Linux Self-Extracting installation package link.

    Linux native installation packages (DEB/RPM) are downloaded through the CLI as part of the installation process.
  7. Click Save.

The agent should now be listed on the Network Agents page with a status of Pending.

Install a network agent

  • Windows

  • Windows ( CLI )

  • Linux Self-Extracting

  • Linux APT ( DEB )

  • Linux DNF ( RPM )

  • Docker

  1. Run the bootstrap application.

    The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.
  2. Read the EULA, select I agree to the license terms and conditions, and click Install.

  3. Click Next.

  4. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  5. Click Next, and paste the agent installation token.

    If needed, you can retrieve the installation token from the Edit Network Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time.
  6. Click Next.

  7. (Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.

    Field Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC).

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server.

    Proxy Port

    The port number used by your proxy server.

    Proxy Domain

    (NTLM proxy authentication only) The domain for accessing the proxy server.

    Proxy User

    The username for accessing the proxy server, if configured to use credentials.

    Proxy Password

    The password for accessing the proxy server, if configured to use credentials.

  8. Click Next.

  9. (Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.

  10. Click Next, Install, Finish, and then Close.

The agent should now be listed on the Network Agents page with a status of Connected.

For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores.
  1. Open the Windows command prompt.

  2. In the command line, navigate to the download location of the bootstrap application.

    The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.
  3. Modify the installation command as needed.

    .\Sectigo_Network_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=

    Options without an included value are ignored. The command options are outlined in the following table.

    Option Description

    /i

    Initiates installation of the agent through the bootstrap application.

    /q

    Runs the installation in silent mode so no interaction is required.

    PROPERTY_AUTOUPDATE

    Indicates whether the agent should automatically update.

    The possible values are:

    • 1 (Yes)

    • Empty (No)

    If you do not include this command option, the default value of 1 (Yes) is applied.

    PROPERTY_TOKEN

    The mandatory installation token.

    PROPERTY_USE_PROXY

    Indicates whether you are using a proxy server.

    • 1 (Yes)

    • Empty (No)

    PROPERTY_PROXY_PAC_URL

    The address of your proxy auto-config (PAC).

    This file contains your proxy configuration details and can be used instead of specifying values for the PROPERTY_PROXY_HOST, PROPERTY_PROXY_PORT, PROPERTY_PROXY_USER, and PROPERTY_PROXY_PASSWORD options.

    PROPERTY_PROXY_HOST

    The hostname or IP address of your proxy server.

    PROPERTY_PROXY_PORT

    The port number used by your proxy server.

    PROPERTY_PROXY_DOMAIN

    (NTLM proxy authentication only) The domain for accessing the proxy server.

    PROPERTY_PROXY_USER

    The username for accessing the proxy server, if configured to use credentials.

    PROPERTY_PROXY_PASSWORD

    The password for accessing the proxy server, if configured to use credentials.

  4. Run the modified installation command.

The agent should now be listed on the Network Agents page with a status of Connected.

For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores.
  1. Give execute permission to the installer binary.

    chmod +x sectigo-network-agent.bin
  2. Run the installer.

    sudo ./sectigo-network-agent.bin
  3. Accept the EULA.

  4. When prompted, paste the agent installation token.

  5. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC).

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server.

    Proxy Port

    The port number used by your proxy server.

    Proxy Domain

    (NTLM proxy authentication only) The domain for accessing the proxy server.

    Proxy User

    The username for accessing the proxy server, if configured to use credentials.

    Proxy Password

    The password for accessing the proxy server, if configured to use credentials.

  6. Select if auto update should be enabled. It is enabled by default.

The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores.
Linux native packages do not support auto-update.
  1. Add the GPG key to your system.

    curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg
  2. Verify the GPG key.

    gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg

    The GPG key fingerprint should match the following:

    FCB9 DC04 DE50 2CBA 0F39  BFAF BFB4 716B 93A8 397B

  3. Add the repository.

    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null
  4. Update the local package index.

    sudo apt-get update
  5. Install the network agent.

    sudo apt-get install sectigo-network-agent
  6. Configure the network agent.

    sudo /opt/sectigo-network-agent/sectigona-config interactive
  7. When prompted, paste the agent installation token.

  8. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC).

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server.

    Proxy Port

    The port number used by your proxy server.

    Proxy Domain

    (NTLM proxy authentication only) The domain for accessing the proxy server.

    Proxy User

    The username for accessing the proxy server, if configured to use credentials.

    Proxy Password

    The password for accessing the proxy server, if configured to use credentials.

  9. Start the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent start
    • systemd Linux:

      sudo systemctl start sectigo-network-agent

The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores.
Linux native packages do not support auto-update.
  1. Add the repository.

    sudo dnf config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo
  2. Install the network agent.

    sudo dnf install sectigo-network-agent

    When prompted to accept the GPG key, confirm the fingerprint matches the following:

    0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659

  3. Configure the network agent.

    sudo /opt/sectigo-network-agent/sectigona-config interactive
  4. When prompted, paste the agent installation token.

  5. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC).

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server.

    Proxy Port

    The port number used by your proxy server.

    Proxy Domain

    (NTLM proxy authentication only) The domain for accessing the proxy server.

    Proxy User

    The username for accessing the proxy server, if configured to use credentials.

    Proxy Password

    The password for accessing the proxy server, if configured to use credentials.

  6. Start the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent start
    • systemd Linux:

      sudo systemctl start sectigo-network-agent

The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores.
The Docker container does not support auto-update.
  1. Create a directory on your Docker host machine for network agent data.

    sudo mkdir /var/opt/network-agent-data
  2. Register the network agent with the agent installation token.

    docker run --rm -v /var/opt/network-agent-data:/base sectigoinc/networkagent:latest register --token <token>
  3. Run the network agent.

    docker run -d --name sectigo-network-agent -v /var/opt/network-agent-data:/base sectigoinc/networkagent:latest
  4. Configure SSL trusted issuers.

    The agent uses the certificates file inside the container image, so host trust updates are not recognized and changes inside the container won’t persist. To use the host’s trusted CAs, mount the host’s certificates file and override the SSL_CERT_FILE environment variable.

    For example, on Debian, use the following docker run command:

    -v /etc/ssl/certs/ca-certificates.crt:/certs/ca-certificates.crt -e SSL_CERT_FILE=/certs/ca-certificates.crt
  5. Configure the network agent.

    Most agent configuration commands require direct communication with the agent service. Therefore, sectigona-config commands must be executed inside the running container. This command allows you to interact with the agent’s configuration directly, providing the ability to manage credential stores and other agent-specific settings.

    For example, to list the available credential stores, execute the following command:

    docker exec sectigo-network-agent sectigona-config credstore list

The agent should now be listed on the Network Agents page with a status of Connected.