Sectigo.com
Shop Enterprise Partners Resources

Installing network agents

The network agent is distributed as a Windows Installer package, Linux self-extracting installer, and Linux native packages.

Installation package Description Auto-update

Windows Installer

The Windows Installer package utilizes a small bootstrap application that dynamically pulls the packages from Sectigo during installation.

The bootstrap application and all Windows Installer package files (MSI) are digitally signed by Sectigo.

Yes

Linux self-extracting installer

The Linux self-extracting installer is a self-contained executable that has no external dependencies.

The installer performs an integrity check before extracting.

Yes

Linux native packages (DEB/RPM)

The Linux native packages use Linux package managers such as APT/YUM to pull the packages from Sectigo during installation.

The DEB metadata and RPM package are digitally signed by Sectigo using GPG.

No

Installation requirements

Network agents require a number of platform-dependent permissions in order to be installed and to perform SSL certificate discovery and automatic installation.

  • Windows

  • Linux

To install a network agent on Windows, the following requirements must be satisfied:

  • Local administrator rights

  • Windows Server:

    • 2012

    • 2016 (Standard, Datacenter)

    • 2019 (Standard, Datacenter)

    • 2022 (Standard, Datacenter)

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

    • Certificate discovery: TCP port 443 (default) or any port that serves up an SSL website

    • Node discovery & auto installation: TCP ports 135, 445,and randomly allocated high ports 49152-65535

  • (Optional) Credential store:

    • Local credential store: No additional requirements

    • HashiCorp Vault:

      • An active HashiCorp Vault instance

      • Access token or AppRole RoleId and SecretId with permission to read the required secrets

      • Remote server authentication credentials are stored in the HashiCorp Vault secrets engine

      • Secrets must be added as key/value pairs using the following keys:

        • username — The username for the remote server.

        • password — The password for the remote server. This cannot be included in a secret containing a private_key_path.

        • private_key_path — The path to the private key file for the remote server. This cannot be included in a secret containing a password.

        • pass_phrase — The passphrase for the private key file if one is configured.

    • CyberArk Vault:

      • An active CyberArk Vault instance

      • A CyberArk Central Credential Provider instance connecting to the CyberArk Vault

      • (Certificate authentication only) A client private key and its certificate in .p12 format

      • An Application ID representing the network agent with permission to retrieve credentials

      • Remote server authentication credentials are stored in CyberArk Vault

To install a network agent on Linux, the following requirements must be satisfied:

  • sudo permissions

  • Linux OS:

    • CentOS 7.x, Stream 8, Stream 9

    • RHEL 7.x, 8.x, 9.x

    • Debian 10, 11, 12

    • Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

    • Certificate discovery: TCP port 443 (default) or any port that serves up an SSL website

    • Node discovery & auto installation: TCP port 22 (default SSH port)

  • (Optional) Credential store:

    • Local credential store: No additional requirements

    • HashiCorp Vault:

      • An active HashiCorp Vault instance

      • Access token or AppRole RoleId and SecretId with permission to read the required secrets

      • Remote server authentication credentials are stored in the HashiCorp Vault secrets engine

    • CyberArk Vault:

      • An active CyberArk Vault instance

      • A CyberArk Central Credential Provider instance connecting to the CyberArk Vault

      • (Certificate authentication only) A client private key and its certificate in .p12 format

      • An Application ID representing the network agent with permission to retrieve credentials

      • Remote server authentication credentials are stored in CyberArk Vault

Add a network agent to SCM

  1. Navigate to Integrations  Network Agents and click the Add icon.

    Add Network Agent

  2. In the Add Network Agent dialog, provide a name to help identify the agent.

  3. Select the organization and department under which to place the agent.

  4. Click Next.

  5. Copy the installation token for use during installation.

    Network Agent Installation Token

  6. Download the agent with the Windows or Linux Self-Extracting installation package link.

    Linux native installation packages (DEB/RPM) are downloaded through the CLI as part of the installation process.
    Network Agent download links

  7. Click Save.

The agent should now be listed on the Network Agents page with a status of Pending.

Network Agent with Pending status

Install a network agent

  • Windows

  • Windows ( CLI )

  • Linux Self-Extracting

  • Linux APT ( DEB )

  • Linux YUM ( RPM )

  1. Run the bootstrap application.

    The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.

  2. Read the EULA, select I agree to the license terms and conditions, and click Install.

  3. Click Next.

  4. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  5. (Optional) Specify an installation location.

  6. Click Next, and paste the agent installation token.

    If needed, you can retrieve the installation token from the Edit Network Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time.

  7. Click Next.

  8. (Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.

    Field Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  9. Click Next.

  10. (Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.

  11. Click Next, Install, Finish, and then Close.

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.

  1. Open the Windows command prompt.

  2. In the command line, navigate to the download location of the bootstrap application.

    The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.

  3. Modify the installation command as needed.

    .\Sectigo_Network_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=

    Options without an included value are ignored. The command options are outlined in the following table.

    Option Description

    /i

    Initiates installation of the agent through the bootstrap application

    /q

    Runs the installation in silent mode so no interaction is required

    PROPERTY_AUTOUPDATE

    Indicates whether the agent should automatically update

    The possible values are:

    • 1 (Yes)

    • Empty (No)

    If you do not include this command option, the default value of 1 (Yes) is applied.

    PROPERTY_TOKEN

    The mandatory installation token

    PROPERTY_USE_PROXY

    Indicates whether you are using a proxy server

    • 1 (Yes)

    • Empty (No)

    PROPERTY_PROXY_PAC_URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of specifying values for the PROPERTY_PROXY_HOST, PROPERTY_PROXY_PORT, PROPERTY_PROXY_USER, and PROPERTY_PROXY_PASSWORD options.

    PROPERTY_PROXY_HOST

    The hostname or IP address of your proxy server

    PROPERTY_PROXY_PORT

    The port number used by your proxy server

    PROPERTY_PROXY_USER

    The username for accessing the proxy server if configured to use credentials

    PROPERTY_PROXY_PASSWORD

    The password for accessing the proxy server if configured to use credentials

  4. Run the modified installation command.

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.

  1. Give execute permission to the installer binary.

    chmod +x sectigo-network-agent.bin

  2. Run the installer.

    sudo ./sectigo-network-agent.bin

  3. Accept the EULA.

  4. When prompted, paste the agent installation token.

  5. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  6. Select if auto update should be enabled. It is enabled by default.

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.
Linux native packages do not support auto-update.

  1. Add the GPG key to your system.

    curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg

  2. Verify the GPG key.

    gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg

    The GPG key fingerprint should match the following:

    FCB9 DC04 DE50 2CBA 0F39  BFAF BFB4 716B 93A8 397B

  3. Add the repository.

    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null

  4. Update the local package index.

    sudo apt-get update

  5. Install the network agent.

    sudo apt-get install sectigo-network-agent

  6. Configure the network agent.

    sudo /opt/sectigo-network-agent/sectigona-config interactive

  7. When prompted, paste the agent installation token.

  8. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  9. Start the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent start

    • systemd Linux:

      sudo systemctl start sectigo-network-agent

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.
Linux native packages do not support auto-update.

  1. Add the repository.

    sudo yum-config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo

  2. Install the network agent.

    sudo yum install sectigo-network-agent

    When prompted to accept the GPG key, confirm the fingerprint matches the following:

    0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659

  3. Configure the network agent.

    sudo /opt/sectigo-network-agent/sectigona-config interactive

  4. When prompted, paste the agent install token.

  5. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  6. Start the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent start

    • systemd Linux:

      sudo systemctl start sectigo-network-agent

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.

Updating network agents

Update to a new agent version

  • Windows

  • Linux Self-Extracting

  • Linux YUM ( RPM )

  • Linux APT ( DEB )

  1. Log in to SCM.

  2. From the left-hand menu, select About.

  3. Click the Download Network Agent icon and select Windows.

  4. (Optional) If required, move the Sectigo_Network_Agent.exe file to the install location of the existing network agent.

  5. Right-click Sectigo_Network_Agent.exe and click Install.

    The package automatically recognizes that there’s an existing version of the network agent and initiates an update instead of a new install.

  6. Read the EULA, select I agree to the license terms and conditions, and click Install.

  7. Click Next.

  8. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  9. (Optional) Specify an installation location.

  10. Click Next, Install, and Close.

  11. In SCM, navigate to the Network Agents page and verify that the agent is connected and showing the correct version.

  1. Log in to SCM.

  2. From the left-hand menu, select About.

  3. Click the Download Network Agent icon and select Linux Self-Extracting.

  4. (Optional) If required, move the sectigo-network-agent.bin file to the install location of the existing network agent.

  5. Give execute permission to the installer binary.

    chmod +x sectigo-network-agent.bin

  6. Run the installer.

    sudo ./sectigo-network-agent.bin -- --upgrade

  7. In SCM, navigate to the Network Agents page and verify that the agent is connected and showing the correct version.

  1. Run the update package.

    yum update sectigo-network-agent

  2. In SCM, navigate to the Network Agents page and verify that the agent is connected and showing the correct version.

  1. Run the update package.

    sudo apt-get update && sudo apt install --only-upgrade sectigo-network-agent

  2. In SCM, navigate to the Network Agents page and verify that the agent is connected and showing the correct version.

Update autoupdate settings

  • Windows ( CLI )

  • Linux Self-Extracting

  1. In a command prompt, navigate to the network agent install location.

  2. (Optional) View the current network agent configuration.

    sectigona-config.exe autoupdate get

  3. Update the network agent configuration.

    Action Command

    Disable autoupdate

    		 
    sectigona-config.exe autoupdate disable

    Enable autoupdate

    		 
    sectigona-config.exe autoupdate enable

  4. Restart the network agent service.

    sc stop SectigoNetworkAgent
    sc start SectigoNetworkAgent

  5. Confirm the updated network agent configuration.

    sectigona-config.exe autoupdate get

  1. In a terminal, navigate to the network agent install location.

  2. (Optional) View the current network agent configuration.

    sudo sectigona-config autoupdate get

  3. Update the network agent configuration.

    Action Command

    Disable autoupdate

    		 
    sudo sectigona-config autoupdate disable

    Enable autoupdate

    		 
    sudo sectigona-config autoupdate enable

  4. Restart the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent restart

    • systemd Linux:

      sudo systemctl restart sectigo-network-agent

  5. Confirm the updated network agent configuration.

    sudo sectigona-config autoupdate get

Update proxy server details

  • Windows ( CLI )

  • Linux

To update the proxy server information for your existing network agent, do the following:

  1. In a command prompt, navigate to the network agent install location.

  2. (Optional) View the current network agent configuration.

    sectigona-config.exe proxy get

  3. Update the network agent configuration.

    Action Command

    Clear proxy settings

    		 
    sectigona-config.exe proxy set

    Set PAC URL

    		 
    sectigona-config.exe proxy set --pacurl <pac-url>

    Set proxy host and port without access credentials

    		 
    sectigona-config.exe proxy set --host <host> --port <port>

    Set proxy host and port with access credentials

    		 
    sectigona-config.exe proxy set --host <host> --port <port> --user <username> --password <password>

  4. Restart the network agent service.

    sc stop SectigoNetworkAgent
    sc start SectigoNetworkAgent

  5. Confirm the updated network agent configuration.

    sectigona-config.exe proxy get

To update the proxy server information for your existing network agent, do the following:

  1. In a terminal, navigate to the network agent install location.

  2. (Optional) View the current network agent configuration.

    sudo sectigona-config proxy get

  3. Update the network agent configuration.

    Action Command

    Clear proxy settings

    		 
    sudo sectigona-config proxy set

    Set PAC URL

    		 
    sudo sectigona-config proxy set --pacurl <pac-url>

    Set proxy host and port without access credentials

    		 
    sudo sectigona-config proxy set --host <host> --port <port>

    Set proxy host and port with access credentials

    		 
    sudo sectigona-config proxy set --host <host> --port <port> --user <username> --password <password>

  4. Restart the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent restart

    • systemd Linux:

      sudo systemctl restart sectigo-network-agent

  5. Confirm the updated network agent configuration.

    sudo sectigona-config proxy get

Configuring credential stores

Sectigo network agents can be configured to utilize local or external credential stores for use when connecting to remote servers. Using a credential store enables you to securely store and manage credentials for remote servers without ever providing the credentials in SCM directly.

Sectigo network agents support the following credential stores:

Adding credential stores

Once a network agent has been installed, you can add a connection between the agent and a credential store.

Add a Local credential store

  • Windows ( CLI )

  • Linux

A local credential store named sectigo-store is automatically created when you install a network agent. You can add additional credential stores as needed.

  1. In a command prompt window, navigate to the network agent install location.

  2. Modify the following command to include a --storename for your new local credential store.

    sectigona-config.exe credstore add local --storename <store-name>

  3. Run the modified installation command.

Once you have added a local credential store, you must add credentials before it can be used. For more information, see Adding credentials to a local credential store.
A local credential store named sectigo-store is automatically created when you install a network agent. You can add additional credential stores as needed.

  1. In a terminal, navigate to the network agent install location.

  2. Modify the following command to include a --storename for your new local credential store.

    sudo sectigona-config credstore add local --storename <store-name>

  3. Run the modified installation command.

Once you have added a local credential store, you must add credentials before it can be used. For more information, see Adding credentials to a local credential store.

Add a HashiCorp Vault credential store

  • Windows ( CLI )

  • Linux

  1. In a command prompt window, navigate to the network agent install location.

  2. Modify one of the following commands based your preferred authentication method.

    • Token authentication:

      sectigona-config.exe credstore add hashicorp --storename <store-name> --vaulturl <vault-url> --authtype Token --token <token> --rootpath <root-path> --verify <path-of-secret>
      Option Description

      --storename

      The name of your HashiCorp Vault credential store

      --vaulturl

      The URL of your HashiCorp Vault

      --authtype

      The authentication type

      Set this to Token for this method

      --token

      The token for Token authentication

      --rootpath

      The root path for the secret in the credential store

      --verify

      The optional path of the secret used to verify its existence

    • AppRoleSecret authentication:

      sectigona-config.exe credstore add hashicorp --storename <store-name> --vaulturl <vault-url> --authtype AppRoleSecret --roleid <role-id> --secretid <secret-id> --appwrapped [Yes/No] --rootpath <root-path> --verify <path-of-secret>
      Option Description

      --storename

      The name of your HashiCorp Vault credential store

      --vaulturl

      The URL of your HashiCorp Vault

      --authtype

      The authentication type

      Set this to AppRoleSecret for this method

      --roleid

      The HashiCorp AppRole RoleID

      Required when --authtype is set to AppRoleSecret or AppRoleFile

      --secretid

      The HashiCorp AppRole SecretID

      Required when --authtype is set to AppRoleSecret

      --appwrapped

      Whether the AppRole SecretId is token wrapped or not

      Can be Yes or No

      Required when authtype is set to AppRoleSecret or AppRoleFile

      --rootpath

      The root path for the secret in the credential store

      --verify

      The optional path of the secret used to verify its existence

    • AppRoleFile authentication:

      sectigona-config.exe credstore add hashicorp --storename <store-name> --vaulturl <vault-url> --authtype AppRoleFile --roleid <role-id> --secretfile <secret-file> --appwrapped [Yes/No] --rootpath <root-path> --verify <path-of-secret>
      Option Description

      --storename

      The name of your HashiCorp Vault credential store

      --vaulturl

      The URL of your HashiCorp Vault

      --authtype

      The authentication type

      Set this to AppRoleFile for this method

      --roleid

      The HashiCorp AppRole RoleID

      Required when --authtype is set to AppRoleSecret or AppRoleFile

      --secretfile

      The path of a file containing the HashiCorp AppRole SecretID

      Required when --authtype is set to AppRoleFile

      --appwrapped

      Whether the AppRole SecretId is token wrapped or not

      Can be Yes or No

      Required when authtype is set to AppRoleSecret or AppRoleFile

      --rootpath

      The root path for the secret in the credential store

      --verify

      The optional path of the secret used to verify its existence

  3. Run the modified installation command.

Once you have added the credential store, you must add servers to the network agent and configure them to use the credential store. For more information, see Adding servers to the network agent.

  1. In a terminal, navigate to the network agent install location.

  2. Modify one of the following commands based your preferred authentication method.

    • Token authentication:

      sudo sectigona-config credstore add hashicorp --storename <store-name> --vaulturl <vault-url> --authtype Token --token <token> --rootpath <root-path> --verify <path-of-secret>
      Option Description

      --storename

      The name of your HashiCorp Vault credential store

      --vaulturl

      The URL of your HashiCorp Vault

      --authtype

      The authentication type

      Set this to Token for this method

      --token

      The token for Token authentication

      --rootpath

      The root path for the secret in the credential store

      --verify

      The optional path of the secret used to verify its existence

    • AppRoleSecret authentication:

      sudo sectigona-config credstore add hashicorp --storename <store-name> --vaulturl <vault-url> --authtype AppRoleSecret --roleid <role-id> --secretid <secret-id> --appwrapped [Yes/No] --rootpath <root-path> --verify <path-of-secret>
      Option Description

      --storename

      The name of your HashiCorp Vault credential store

      --vaulturl

      The URL of your HashiCorp Vault

      --authtype

      The authentication type

      Set this to AppRoleSecret for this method

      --roleid

      The HashiCorp AppRole RoleID

      Required when --authtype is set to AppRoleSecret or AppRoleFile

      --secretid

      The HashiCorp AppRole SecretID

      Required when --authtype is set to AppRoleSecret

      --appwrapped

      Whether the AppRole SecretId is token wrapped or not

      Can be Yes or No

      Required when authtype is set to AppRoleSecret or AppRoleFile

      --rootpath

      The root path for the secret in the credential store

      --verify

      The optional path of the secret used to verify its existence

    • AppRoleFile authentication:

      sudo sectigona-config credstore add hashicorp --storename <store-name> --vaulturl <vault-url> --authtype AppRoleFile --roleid <role-id> --secretfile <secret-file> --appwrapped [Yes/No] --rootpath <root-path> --verify <path-of-secret>
      Option Description

      --storename

      The name of your HashiCorp Vault credential store

      --vaulturl

      The URL of your HashiCorp Vault

      --authtype

      The authentication type

      Set this to AppRoleFile for this method

      --roleid

      The HashiCorp AppRole RoleID

      Required when --authtype is set to AppRoleSecret or AppRoleFile

      --secretfile

      The path of a file containing the HashiCorp AppRole SecretID

      Required when --authtype is set to AppRoleFile

      --appwrapped

      Whether the AppRole SecretId is token wrapped or not

      Can be Yes or No

      Required when authtype is set to AppRoleSecret or AppRoleFile

      --rootpath

      The root path for the secret in the credential store

      --verify

      The optional path of the secret used to verify its existence

  3. Run the modified installation command.

Once you have added the credential store, you must add servers to the network agent and configure them to use the credential store. For more information, see Adding servers to the network agent.

Add a CyberArk Vault credential store

  • Windows ( CLI )

  • Linux

  1. In a command prompt window, navigate to the network agent install location.

  2. Modify the add command as needed.

    • Machine address authentication:

      sectigona-config.exe credstore add cyberark --storename <store-name> --appid <app-id> --ccpurl <ccp-url> --verify <query-string>
      Option Description

      --storename

      The name of your CyberArk credential store

      --appid

      The application ID for CyberArk authentication

      --ccpurl

      The URL of your CyberArk Central Credential Provider

      --verify

      The optional query string of the secret used to verify its existence

    • Certificate authentication:

      sectigona-config.exe credstore add cyberark --storename <store-name> --appid <app-id> --ccpurl <ccp-url>  --authcert <authcert-file-path> --certpass <password-of-authcert> --verify <query-string>
      Option Description

      --storename

      The name of your CyberArk credential store

      --appid

      The application ID for CyberArk authentication

      --ccpurl

      The URL of your CyberArk Central Credential Provider

      --authcert

      The file path for the authentication certificate

      --certpass

      The password of the authentication certificate

      --verify

      The optional query string of the secret used to verify its existence

  3. Run the modified installation command.

Once you have added the credential store, you must add servers to the network agent and configure them to use the credential store. For more information, see Adding servers to the network agent.

  1. In a terminal, navigate to the network agent install location.

  2. Modify the add command as needed.

    • Machine address authentication:

      sudo sectigona-config credstore add cyberark --storename <store-name> --appid <app-id> --ccpurl <ccp-url> --verify <query-string>
      Option Description

      --storename

      The name of your CyberArk credential store

      --appid

      The application ID for CyberArk authentication

      --ccpurl

      The URL of your CyberArk Central Credential Provider

      --verify

      The optional query string of the secret used to verify its existence

    • Certificate authentication:

      sudo sectigona-config credstore add cyberark --storename <store-name> --appid <app-id> --ccpurl <ccp-url>  --authcert <authcert-file-path> --certpass <password-of-authcert> --verify <query-string>
      Option Description

      --storename

      The name of your CyberArk credential store

      --appid

      The application ID for CyberArk authentication

      --ccpurl

      The URL of your CyberArk Central Credential Provider

      --authcert

      The file path for the authentication certificate

      --certpass

      The password of the authentication certificate

      --verify

      The optional query string of the secret used to verify its existence

  3. Run the modified installation command.

Once you have added the credential store, you must add servers to the network agent and configure them to use the credential store. For more information, see Adding servers to the network agent.

Managing local credential stores

Unlike external credential stores, local credential stores are managed entirely through the network agent command line tool. Once a local store is created, you can add, update, or remove credentials as needed.

Add credentials to a local credential store

  • Windows ( CLI )

  • Linux

  1. In a command prompt window, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename, --id, and --username with the appropriate accompanying credential option(s).

    sectigona-config.exe credstore credentials add --storename <store-name> --id <id> --username <username> --password <password> --privatekeypath <private-key-path> --passphrase <passphrase>
    Option Description

    --storename

    The name of your local credential store

    --id

    The ID of the credential

    --username

    The username for the credential

    --password

    The password for the credential

    Required if --privatekeypath is not provided

    --privatekeypath

    The path to the private key for the credential

    Required if --password is not provided

    --passphrase

    The passphrase for the private key

    Required if --privatekeypath is provided and configured with a passphrase

  3. Run the modified command.

  1. In a terminal, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename, --id, and --username with the appropriate accompanying credential option(s).

    sudo sectigona-config credstore credentials add --storename <store-name> --id <id> --username <username> --password <password> --privatekeypath <private-key-path> --passphrase <passphrase>
    Option Description

    --storename

    The name of your local credential store

    --id

    The ID of the credential

    --username

    The username for the credential

    --password

    The password for the credential

    Required if --privatekeypath is not provided

    --privatekeypath

    The path to the private key for the credential

    Required if --password is not provided

    --passphrase

    The passphrase for the private key

    Required if --privatekeypath is provided and configured with a passphrase

  3. Run the modified command.

Update credentials in a local credential store

  • Windows ( CLI )

  • Linux

  1. In a command prompt window, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename, --id, and the additional options you want to update.

    sectigona-config.exe credstore credentials update --storename <store-name> --id <id> --username <username> --password <password> --privatekeypath <private-key-path> --passphrase <passphrase>
    Option Description

    --storename

    The name of your local credential store

    --id

    The ID of the credential

    --username

    The username for the credential

    --password

    The password for the credential

    --privatekeypath

    The path to the private key for the credential

    --passphrase

    The passphrase for the private key

    Required if --privatekeypath is provided and configured with a passphrase that changed or hasn’t been provided

  3. Run the modified command.

  1. In a terminal, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename, --id, and the additional options you want to update.

    sudo sectigona-config credstore credentials update --storename <store-name> --id <id> --username <username> --password <password> --privatekeypath <private-key-path> --passphrase <passphrase>
    Option Description

    --storename

    The name of your local credential store

    --id

    The ID of the credential

    --username

    The username for the credential

    --password

    The password for the credential

    --privatekeypath

    The path to the private key for the credential

    --passphrase

    The passphrase for the private key

    Required if --privatekeypath is provided and configured with a passphrase that changed or hasn’t been provided

  3. Run the modified command.

Remove credentials from a local credential store

  • Windows ( CLI )

  • Linux

  1. In SCM, verify that the credentials you want to remove are not in use by an added server.

  2. In a command prompt window, navigate to the network agent install location.

  3. Modify the following command to include the --storename and --id of the credentials you want to remove.

    sectigona-config.exe credstore credentials remove --storename <store-name> --id <id>
    Option Description

    --storename

    The name of your local credential store.

    --id

    The ID of the credential

  4. Run the modified command

  1. In SCM, verify that the credentials you want to remove are not in use by an added server.

  2. In a terminal, navigate to the network agent install location.

  3. Modify the following command to include the --storename and --id of the credentials you want to remove.

    sudo sectigona-config credstore credentials remove --storename <store-name> --id <id>
    Option Description

    --storename

    The name of your local credential store

    --id

    The ID of the credential

  4. Run the modified command

Updating credential stores

If required, you can update the connection between a network agent and an existing external credential store.

Update a HashiCorp Vault credential store

  • Windows ( CLI )

  • Linux

  1. In a command prompt window, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename and any options you want to update.

    sectigona-config.exe credstore update hashicorp --storename <store-name> --vaulturl <vault-url> --authtype <Token/AppRoleSecret/AppRoleFile> --token <token> --rootpath <root-path> --roleid <role-id> --secretid <secret-id> --secretfile <secret-file> --appwrapped <Yes/No> --verify <path-of-secret>
    Option Description

    --storename

    The name of your HashiCorp Vault credential store

    Required for all authtype options

    --vaulturl

    The URL of your HashiCorp Vault

    --authtype

    The authentication type

    Set this to Token, AppRoleSecret, or AppRoleFile for the respective method

    If you are updating the authtype and the new type requires different parameters, you must provide the new parameters

    If you are updating the authtype and it reuses required parameters from the previous type that have not changed, you do not need to provide the parameters again

    --token

    The token for Token authentication.

    Required when authtype is set to Token

    --rootpath

    The root path for the secret in the credential store

    --roleid

    The HashiCorp AppRole RoleID

    Required when --authtype is set to AppRoleSecret or AppRoleFile

    --secretid

    The HashiCorp AppRole SecretID

    Required when --authtype is set to AppRoleSecret

    --secretfile

    The path of a file containing the HashiCorp AppRole SecretID

    Required when --authtype is set to AppRoleFile

    --appwrapped

    Whether the AppRole SecretId is token wrapped or not

    Can be Yes or No

    Required when authtype is set to AppRoleSecret or AppRoleFile

    --verify

    The optional path of the secret used to verify its existence

    Required for all authtype options

  3. Run the modified installation command.

  1. In a terminal, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename and any options you want to update.

    sudo sectigona-config credstore update hashicorp --storename <store-name> --vaulturl <vault-url> --authtype <Token/AppRoleSecret/AppRoleFile> --token <token> --rootpath <root-path> --roleid <role-id> --secretid <secret-id> --secretfile <secret-file> --appwrapped <Yes/No> --verify <path-of-secret>
    Option Description

    --storename

    The name of your HashiCorp Vault credential store

    Required for all authtype options

    --vaulturl

    The URL of your HashiCorp Vault

    --authtype

    The authentication type

    Set this to Token, AppRoleSecret, or AppRoleFile for the respective method

    If you are updating the authtype and the new type requires different parameters, you must provide the new parameters

    If you are updating the authtype and it reuses required parameters from the previous type that have not changed, you do not need to provide the parameters again

    --token

    The token for Token authentication

    Required when authtype is set to Token

    --rootpath

    The root path for the secret in the credential store

    --roleid

    The HashiCorp AppRole RoleID

    Required when --authtype is set to AppRoleSecret or AppRoleFile

    --secretid

    The HashiCorp AppRole SecretID

    Required when --authtype is set to AppRoleSecret

    --secretfile

    The path of a file containing the HashiCorp AppRole SecretID

    Required when --authtype is set to AppRoleFile

    --appwrapped

    Whether the AppRole SecretId is token wrapped or not

    Can be Yes or No

    Required when authtype is set to AppRoleSecret or AppRoleFile

    --verify

    The optional path of the secret used to verify its existence

    Required for all authtype options

  3. Run the modified installation command.

Update a CyberArk Vault credential store

  • Windows ( CLI )

  • Linux

  1. In a command prompt window, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename and any options you want to update.

    sectigona-config.exe credstore update cyberark --storename <store-name> --appid <app-id> --ccpurl <ccp-url>  --authcert <authcert-file-path> --certpass <password-of-authcert> --verify <query-string>
    Option Description

    --storename

    The name of your CyberArk credential store

    --appid

    The application ID for CyberArk authentication

    --ccpurl

    The URL of your CyberArk Central Credential Provider

    --authcert

    The file path for the authentication certificate

    --certpass

    The password of the authentication certificate

    Required when authcert is used

    --verify

    The optional query string of the secret used to verify its existence

  3. Run the modified installation command.

  1. In a terminal, navigate to the network agent install location.

  2. Modify the following command to include the mandatory --storename and any options you want to update.

    sudo sectigona-config credstore update cyberark --storename <store-name> --appid <app-id> --ccpurl <ccp-url>  --authcert <authcert-file-path> --certpass <password-of-authcert> --verify <query-string>
    Option Description

    --storename

    The name of your CyberArk credential store

    --appid

    The application ID for CyberArk authentication

    --ccpurl

    The URL of your CyberArk Central Credential Provider

    --authcert

    The file path for the authentication certificate

    --certpass

    The password of the authentication certificate

    Required when authcert is used

    --verify

    The optional query string of the secret used to verify its existence

  3. Run the modified installation command.

Viewing credential stores and credentials

View credential stores

  • Windows ( CLI )

  • Linux

  1. In a command prompt window, navigate to the network agent install location.

  2. View all credential stores associated with the network agent.

    sectigona-config.exe credstore list

  1. In a terminal, navigate to the network agent install location.

  2. View all credential stores associated with the network agent.

    sudo sectigona-config credstore list

View credentials

  • Windows ( CLI )

  • Linux

  1. In a terminal, navigate to the network agent install location.

  2. View credentials in a specific credential store.

    • List all credentials from a local credential store.

      sectigona-config.exe credstore credentials list --storename <store-name>

    • Get specific credentials from a credential store.

      sectigona-config.exe credstore credentials get --storename <store-name> --id <id>
      Option Description

      --storename

      The name of the credential store

      --id

      The unique identifier of the credential

      • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider

        The ID format should be similar to the following:

        --id "<param1>=<value>;<param2>=<value>;..."

      • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault This path is relative to the --rootpath specified when adding the credential store

      • Local credential store — The ID is the unique identifying string of the credential in the local credential store

  1. In a terminal, navigate to the network agent install location.

  2. View credentials in a specific credential store.

    • List all credentials in a specific local store.

      sudo sectigona-config credstore credentials list --storename <store-name>

    • Get specific credentials from a credential store.

      sudo sectigona-config credstore credentials get --storename <store-name> --id <id>
      Option Description

      --storename

      The name of the credential store

      --id

      The unique identifier of the credential

      • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider

        The ID format should be similar to the following:

        --id "<param1>=<value>;<param2>=<value>;..."

      • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault This path is relative to the --rootpath specified when adding the credential store

      • Local credential store — The ID is the unique identifying string of the credential in the local credential store

Remove a credential store

  • Windows ( CLI )

  • Linux

  1. In SCM, verify that the credential store you want to remove is not in use by an added server.

  2. In a command prompt window, navigate to the network agent install location.

  3. Modify the following command to include the mandatory --storename of the credential store you want to remove.

    sectigona-config.exe credstore remove -storename <name>
    The default local credential store sectigo-store cannot be removed.

  4. Run the modified installation command.

  1. In SCM, verify that the credential store you want to remove is not in use by an added server.

  2. In a terminal, navigate to the network agent install location.

  3. Modify the following command to include the mandatory --storename of the credential store you want to remove.

    sudo sectigona-config credstore remove -storename <name>
    The default local credential store sectigo-store cannot be removed.

  4. Run the modified installation command.

Uninstall a network agent

  • Windows

  • Linux Self-Extracting

  • Linux APT ( DEB )

  • Linux YUM ( RPM )

  1. Navigate to Settings  Apps & features.

  2. Search for Sectigo Network Agent.

  3. Select the Sectigo Network Agent and click Uninstall.

  4. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to C:\ProgramData\Sectigo.

    2. Delete the Network Agent folder.

      This cannot be undone. Only delete this folder if you want to completely remove all files and logs related to the agent.

  5. In SCM, navigate to Integrations  Network Agents.

  6. Select the agent you want to delete.

  7. Click the Delete icon.

  8. Click Delete again.

  1. Stop the network agent service.

    sudo service sectigo-network-agent stop

  2. Navigate to the /etc/init.d directory.

  3. Delete the sectigo-network-agent directory.

  4. Delete the network agent installation files.

    1. Navigate to the /opt directory.

    2. Delete the sectigo-network-agent directory.

  5. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-network-agent directory.

      This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.

  6. In SCM, navigate to Integrations  Network Agents.

  7. Select the agent you want to delete.

  8. Click Delete.

  9. Click Delete again.

  1. Remove the network agent.

    sudo apt remove sectigo-network-agent

  2. Remove the JRE.

    sudo apt remove sectigo-network-agent-jre

  3. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-network-agent directory.

      This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.

  4. In SCM, navigate to Integrations  Network Agents.

  5. Select the agent you want to delete.

  6. Click Delete.

  7. Click Delete again.

  1. Remove the network agent.

    sudo yum remove sectigo-network-agent

  2. Remove the JRE.

    sudo yum remove sectigo-network-agent-jre

  3. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-network-agent directory.

      This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.

  4. In SCM, navigate to Integrations  Network Agents.

  5. Select the agent you want to delete.

  6. Click Delete.

  7. Click Delete again.

Network agent service commands

  • Windows

  • Linux ( SysVinit )

  • Linux ( systemd )

Command Description

Start

Start a network agent:

sc start SectigoNetworkAgent

Stop

Stop a network agent:

sc stop SectigoNetworkAgent

Query

Query the status of a network agent:

sc query SectigoNetworkAgent
Command Description

Start

Start a network agent:

sudo service sectigo-network-agent start

Stop

Stop a network agent:

sudo service sectigo-network-agent stop

Restart

Restart a network agent:

sudo service sectigo-network-agent restart

Status

Query the status of a network agent:

sudo service sectigo-network-agent status
Command Description

Start

Start a network agent:

sudo systemctl start sectigo-network-agent

Stop

Stop a network agent:

sudo systemctl stop sectigo-network-agent

Restart

Restart a network agent:

sudo systemctl restart sectigo-network-agent

Status

Query the status of a network agent:

sudo systemctl status sectigo-network-agent

Custom Java Runtime Environments

In some rare circumstances the default Java Runtime Sectigo packages included with the network agent might need to be customized. For example, this can happen if an HTTP proxy is using privately trusted certificates or requires authentication schemes that aren’t enabled by default.

  • Windows

  • Linux

  1. Navigate to your network agent install location and open the bin folder.

    The default install location is Local Disk (C:)  Program Files  Sectigo  Network Agent.

  2. Open the sectigonetworkagentw.exe file.

  3. Select the Java tab.

  4. Customize the Java Options using the information provided in the following table.

    JVM Parameter Description

    -Djavax.net.ssl.trustStore=path_to_keystore.jks

    Replaces the truststore used by the JVM when trusting SSL certificates

    Can be used if HTTP proxy uses a privately trusted certificate instead of needing to modify the JVM’s truststore (cacerts)

    -Djdk.http.auth.proxying.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy

    -Djdk.http.auth.tunneling.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy using TLS

  5. Click OK.

  1. Create a file in /etc/opt/sectigo-network-agent named start-agent.ini

  2. Enter the required JVM parameters on separate lines using the information provided in the following table.

    JVM Parameter Description

    -Djavax.net.ssl.trustStore=path_to_keystore.jks

    Replaces the truststore used by the JVM when trusting SSL certificates

    Can be used if HTTP proxy uses a privately trusted certificate instead of needing to modify the JVM’s truststore (cacerts)

    -Djdk.http.auth.proxying.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy

    -Djdk.http.auth.tunneling.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy using TLS

  3. Restart the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent restart

    • systemd Linux:

      sudo systemctl restart sectigo-network-agent