Installing network agents

The network agent is distributed as a Windows Installer package, Linux self-extracting installer, Linux native packages, and Docker container.

Installation package	Description	Auto-update
Windows Installer	The Windows Installer package utilizes a small bootstrap application that dynamically pulls the packages from Sectigo during installation. The bootstrap application and all Windows Installer package files (MSI) are digitally signed by Sectigo.	Yes
Linux self-extracting installer	The Linux self-extracting installer is a self-contained executable that has no external dependencies. The installer performs an integrity check before extracting.	Yes
Linux native packages (DEB/RPM)	The Linux native packages use Linux package managers such as APT/DNF to pull the packages from Sectigo during installation. The DEB metadata and RPM package are digitally signed by Sectigo using GPG.	No
Docker container	The Docker container offers a portable, self-contained deployment without manual installation.	No

Installation package

Description

Auto-update

Windows Installer

The Windows Installer package utilizes a small bootstrap application that dynamically pulls the packages from Sectigo during installation.

The bootstrap application and all Windows Installer package files (MSI) are digitally signed by Sectigo.

Yes

Linux self-extracting installer

The Linux self-extracting installer is a self-contained executable that has no external dependencies.

The installer performs an integrity check before extracting.

Yes

Linux native packages (DEB/RPM)

The Linux native packages use Linux package managers such as APT/DNF to pull the packages from Sectigo during installation.

The DEB metadata and RPM package are digitally signed by Sectigo using GPG.

Docker container

The Docker container offers a portable, self-contained deployment without manual installation.

Installation requirements

Network agents require a number of platform-dependent permissions in order to be installed and to perform SSL certificate discovery and automatic installation.

Windows
Linux
Docker

To install a network agent on Windows, the following requirements must be satisfied:

Local administrator rights
Windows Server:
- 2016 (Standard, Datacenter)
- 2019 (Standard, Datacenter)
- 2022 (Standard, Datacenter)
Hardware:
- CPU — 1.4GHz 64-bit (minimum)
- RAM — 2 GB (minimum)
Network access:

If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible.
- Outbound network access to https://dist.sectigo.com on TCP port 443
- Outbound network access to the appropriate SCM instance on TCP port 443:
  - https://cert-manager.com
  - https://hard.cert-manager.com
  - https://eu.cert-manager.com
- Certificate discovery: TCP port 443 or any port that serves up an SSL website
- Node discovery & auto installation: In addition to the general access requirements, specific ports are required based on the network agent’s connection type. The following are the default ports required for each connection type:
  - Local — N/A
  - Local (Legacy) — N/A
  - Remote (WinRM) — TCP port 5985
  - Remote (SSH) — TCP port 22
  - Remote (Legacy) — TCP ports 135 and 445
  - Remote (REST) — TCP port 443
- If applicable, your credential store must be accessible from the network agent machine.
(Optional) Credential store:
- Local credential store: No additional requirements
- HashiCorp Vault:
  - An active HashiCorp Vault instance
  - Access token or AppRole RoleId and SecretId with permission to read the required secrets
  - Remote server authentication credentials are stored in the HashiCorp Vault secrets engine
  - Secrets must be added as key/value pairs using the following keys:
    
    username — The username for the remote server.
    
    password — The password for the remote server. This cannot be included in a secret containing a private_key_path.
    
    private_key_path — The path to the private key file for the remote server. This cannot be included in a secret containing a password.
    
    pass_phrase — The passphrase for the private key file if one is configured.
- CyberArk Vault:
  - An active CyberArk Vault instance
  - A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
  - (Certificate authentication only) A client private key and its certificate in .p12 format
  - An Application ID representing the network agent with permission to retrieve credentials
  - Remote server authentication credentials are stored in CyberArk Vault
- Delinea Secret Server:
  - An active Delinea Secret Server instance
  - A user account with permission to read required secrets
  - Remote server login credentials are stored in Delinea Secret Server

To install a network agent on Linux, the following requirements must be satisfied:

sudo permissions
Linux OS:
- CentOS Stream 8, Stream 9
- RHEL 8.x, 9.x
- Debian 11, 12
- Ubuntu 18.04, 20.04, 22.04
Hardware:
- CPU — 1.4GHz 64-bit (minimum)
- RAM — 2 GB (minimum)

Network access:

If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible. Additionally, the ephemeral port range for local connections may vary depending on your linux distribution.

Outbound network access to https://dist.sectigo.com on TCP port 443
Outbound network access to the appropriate SCM instance on TCP port 443:
- https://cert-manager.com
- https://hard.cert-manager.com
- https://eu.cert-manager.com
Certificate discovery: TCP port 443 or any port that serves up an SSL website
Node discovery & auto installation: In addition to the general access requirements, specific ports are required based on the network agent’s connection type. The following are the default ports required for each connection type:
- Local — N/A
- Remote (WinRM) — TCP port 5985
- Remote (SSH) — TCP port 22
- Remote (REST) — TCP port 443
If applicable, your credential store must be accessible from the network agent machine.

(Optional) Credential store:
- Local credential store: No additional requirements
- HashiCorp Vault:
  - An active HashiCorp Vault instance
  - Access token or AppRole RoleId and SecretId with permission to read the required secrets
  - Remote server authentication credentials are stored in the HashiCorp Vault secrets engine
- CyberArk Vault:
  - An active CyberArk Vault instance
  - A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
  - (Certificate authentication only) A client private key and its certificate in .p12 format
  - An Application ID representing the network agent with permission to retrieve credentials
  - Remote server authentication credentials are stored in CyberArk Vault
- Delinea Secret Server:
  - An active Delinea Secret Server instance
  - A user account with permission to read required secrets
  - Remote server authentication credentials are stored in Delinea Secret Server

To run a network agent on Docker, the following requirement must be satisfied:

Docker engine installed
Hardware:
- CPU — 1.4GHz 64-bit (minimum)
- RAM — 2 GB (minimum)
Network access:

If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible.
- Outbound network access to https://dist.sectigo.com on TCP port 443
- Outbound network access to the appropriate SCM instance on TCP port 443:
  - https://cert-manager.com
  - https://hard.cert-manager.com
  - https://eu.cert-manager.com
- Certificate discovery: TCP port 443 or any port that serves up an SSL website
- If applicable, your credential store must be accessible from the network agent machine.
(Optional) Credential store:
- Local credential store: No additional requirements
- HashiCorp Vault:
  - An active HashiCorp Vault instance
  - Access token or AppRole RoleId and SecretId with permission to read the required secrets
  - Remote server authentication credentials are stored in the HashiCorp Vault secrets engine
- CyberArk Vault:
  - An active CyberArk Vault instance
  - A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
  - (Certificate authentication only) A client private key and its certificate in .p12 format
  - An Application ID representing the network agent with permission to retrieve credentials
  - Remote server authentication credentials are stored in CyberArk Vault
- Delinea Secret Server:
  - An active Delinea Secret Server instance
  - A user account with permission to read required secrets
  - Remote server authentication credentials are stored in Delinea Secret Server

Add a network agent to SCM

Navigate to Integrations Network Agents and click the Add icon.
In the Add Network Agent dialog, provide a name to help identify the agent.
Select the organization and department under which to place the agent.
Click Next.
Copy the installation token for use during installation.
Download the agent with the Windows or Linux Self-Extracting installation package link.

Linux native installation packages (DEB/RPM) are downloaded through the CLI as part of the installation process.
Click Save.

The agent should now be listed on the Network Agents page with a status of Pending.

Install a network agent

Windows
Windows ( CLI )
Linux Self-Extracting
Linux APT ( DEB )
Linux DNF ( RPM )
Docker

Run the bootstrap application.

The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.

Read the EULA, select I agree to the license terms and conditions, and click Install.
Click Next.
Read the EULA, select I accept the terms in the License Agreement, and click Next.
Click Next, and paste the agent installation token.

If needed, you can retrieve the installation token from the Edit Network Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time.
Click Next.

(Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.

Field	Description
Proxy PAC URL	The address of your proxy auto-config (PAC). This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host	The hostname or IP address of your proxy server.
Proxy Port	The port number used by your proxy server.
Proxy Domain	(NTLM proxy authentication only) The domain for accessing the proxy server.
Proxy User	The username for accessing the proxy server, if configured to use credentials.
Proxy Password	The password for accessing the proxy server, if configured to use credentials.

Field

Description

Proxy PAC URL

The address of your proxy auto-config (PAC).

This file contains your proxy configuration details and can be used instead of manually entering the values.

Proxy Host

The hostname or IP address of your proxy server.

Proxy Port

The port number used by your proxy server.

Proxy Domain

(NTLM proxy authentication only) The domain for accessing the proxy server.

Proxy User

The username for accessing the proxy server, if configured to use credentials.

Proxy Password

The password for accessing the proxy server, if configured to use credentials.

Click Next.
(Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.
Click Next, Install, Finish, and then Close.

The agent should now be listed on the Network Agents page with a status of Connected.

For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.

A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores.

Open the Windows command prompt.

In the command line, navigate to the download location of the bootstrap application.

Modify the installation command as needed.

.\Sectigo_Network_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=

Options without an included value are ignored. The command options are outlined in the following table.

Option Description

Option	Description
`/i`	Initiates installation of the agent through the bootstrap application.
`/q`	Runs the installation in silent mode so no interaction is required.
`PROPERTY_AUTOUPDATE`	Indicates whether the agent should automatically update. The possible values are: `1` (Yes) Empty (No) If you do not include this command option, the default value of `1` (Yes) is applied.
`PROPERTY_TOKEN`	The mandatory installation token.
`PROPERTY_USE_PROXY`	Indicates whether you are using a proxy server. `1` (Yes) Empty (No)
`PROPERTY_PROXY_PAC_URL`	The address of your proxy auto-config (PAC). This file contains your proxy configuration details and can be used instead of specifying values for the `PROPERTY_PROXY_HOST`, `PROPERTY_PROXY_PORT`, `PROPERTY_PROXY_USER`, and `PROPERTY_PROXY_PASSWORD` options.
`PROPERTY_PROXY_HOST`	The hostname or IP address of your proxy server.
`PROPERTY_PROXY_PORT`	The port number used by your proxy server.
`PROPERTY_PROXY_DOMAIN`	(NTLM proxy authentication only) The domain for accessing the proxy server.
`PROPERTY_PROXY_USER`	The username for accessing the proxy server, if configured to use credentials.
`PROPERTY_PROXY_PASSWORD`	The password for accessing the proxy server, if configured to use credentials.

/i

Initiates installation of the agent through the bootstrap application.

/q

Runs the installation in silent mode so no interaction is required.

PROPERTY_AUTOUPDATE

Indicates whether the agent should automatically update.

The possible values are:

1 (Yes)
Empty (No)

If you do not include this command option, the default value of 1 (Yes) is applied.

PROPERTY_TOKEN

The mandatory installation token.

PROPERTY_USE_PROXY

Indicates whether you are using a proxy server.

1 (Yes)
Empty (No)

PROPERTY_PROXY_PAC_URL

The address of your proxy auto-config (PAC).

This file contains your proxy configuration details and can be used instead of specifying values for the PROPERTY_PROXY_HOST, PROPERTY_PROXY_PORT, PROPERTY_PROXY_USER, and PROPERTY_PROXY_PASSWORD options.

PROPERTY_PROXY_HOST

The hostname or IP address of your proxy server.

PROPERTY_PROXY_PORT

The port number used by your proxy server.

PROPERTY_PROXY_DOMAIN

(NTLM proxy authentication only) The domain for accessing the proxy server.

PROPERTY_PROXY_USER

The username for accessing the proxy server, if configured to use credentials.

PROPERTY_PROXY_PASSWORD

The password for accessing the proxy server, if configured to use credentials.

Run the modified installation command.

The agent should now be listed on the Network Agents page with a status of Connected.

For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.

Give execute permission to the installer binary.
```
chmod +x sectigo-network-agent.bin
```
Run the installer.
```
sudo ./sectigo-network-agent.bin
```
Accept the EULA.
When prompted, paste the agent installation token.

(Optional) Enter your proxy details based on the information provided in the following table.

Parameter Description

Parameter	Description
`Proxy PAC URL`	The address of your proxy auto-config (PAC). This file contains your proxy configuration details and can be used instead of manually entering the values.
`Proxy Host`	The hostname or IP address of your proxy server.
`Proxy Port`	The port number used by your proxy server.
`Proxy Domain`	(NTLM proxy authentication only) The domain for accessing the proxy server.
`Proxy User`	The username for accessing the proxy server, if configured to use credentials.
`Proxy Password`	The password for accessing the proxy server, if configured to use credentials.

Proxy PAC URL

The address of your proxy auto-config (PAC).

This file contains your proxy configuration details and can be used instead of manually entering the values.

Proxy Host

The hostname or IP address of your proxy server.

Proxy Port

The port number used by your proxy server.

Proxy Domain

(NTLM proxy authentication only) The domain for accessing the proxy server.

Proxy User

The username for accessing the proxy server, if configured to use credentials.

Proxy Password

The password for accessing the proxy server, if configured to use credentials.

Select if auto update should be enabled. It is enabled by default.

The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.

Linux native packages do not support auto-update.

Add the GPG key to your system.

curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg

Verify the GPG key.
```
gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg
```
The GPG key fingerprint should match the following:

FCB9 DC04 DE50 2CBA 0F39 BFAF BFB4 716B 93A8 397B

Add the repository.

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null

Update the local package index.
```
sudo apt-get update
```

Install the network agent.

sudo apt-get install sectigo-network-agent

Configure the network agent.

sudo /opt/sectigo-network-agent/sectigona-config interactive

When prompted, paste the agent installation token.

(Optional) Enter your proxy details based on the information provided in the following table.

Parameter Description

Parameter	Description
`Proxy PAC URL`	The address of your proxy auto-config (PAC). This file contains your proxy configuration details and can be used instead of manually entering the values.
`Proxy Host`	The hostname or IP address of your proxy server.
`Proxy Port`	The port number used by your proxy server.
`Proxy Domain`	(NTLM proxy authentication only) The domain for accessing the proxy server.
`Proxy User`	The username for accessing the proxy server, if configured to use credentials.
`Proxy Password`	The password for accessing the proxy server, if configured to use credentials.

Proxy PAC URL

The address of your proxy auto-config (PAC).

This file contains your proxy configuration details and can be used instead of manually entering the values.

Proxy Host

The hostname or IP address of your proxy server.

Proxy Port

The port number used by your proxy server.

Proxy Domain

(NTLM proxy authentication only) The domain for accessing the proxy server.

Proxy User

The username for accessing the proxy server, if configured to use credentials.

Proxy Password

The password for accessing the proxy server, if configured to use credentials.

Start the network agent service.

SysVinit Linux:

sudo service sectigo-network-agent start

systemd Linux:

sudo systemctl start sectigo-network-agent

The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.

Linux native packages do not support auto-update.

Add the repository.

sudo dnf config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo

Install the network agent.
```
sudo dnf install sectigo-network-agent
```
When prompted to accept the GPG key, confirm the fingerprint matches the following:

0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659

Configure the network agent.

sudo /opt/sectigo-network-agent/sectigona-config interactive

When prompted, paste the agent installation token.

(Optional) Enter your proxy details based on the information provided in the following table.

Parameter Description

Parameter	Description
`Proxy PAC URL`	The address of your proxy auto-config (PAC). This file contains your proxy configuration details and can be used instead of manually entering the values.
`Proxy Host`	The hostname or IP address of your proxy server.
`Proxy Port`	The port number used by your proxy server.
`Proxy Domain`	(NTLM proxy authentication only) The domain for accessing the proxy server.
`Proxy User`	The username for accessing the proxy server, if configured to use credentials.
`Proxy Password`	The password for accessing the proxy server, if configured to use credentials.

Proxy PAC URL

The address of your proxy auto-config (PAC).

This file contains your proxy configuration details and can be used instead of manually entering the values.

Proxy Host

The hostname or IP address of your proxy server.

Proxy Port

The port number used by your proxy server.

Proxy Domain

(NTLM proxy authentication only) The domain for accessing the proxy server.

Proxy User

The username for accessing the proxy server, if configured to use credentials.

Proxy Password

The password for accessing the proxy server, if configured to use credentials.

Start the network agent service.

SysVinit Linux:

sudo service sectigo-network-agent start

systemd Linux:

sudo systemctl start sectigo-network-agent

The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.

The Docker container does not support auto-update.

Create a directory on your Docker host machine for network agent data.
```
sudo mkdir /var/opt/network-agent-data
```

docker run --rm -v /var/opt/network-agent-data:/base sectigoinc/networkagent:latest register --token <token>

Run the network agent.

docker run -d --name sectigo-network-agent -v /var/opt/network-agent-data:/base sectigoinc/networkagent:latest

Configure SSL trusted issuers.

The agent uses the certificates file inside the container image, so host trust updates are not recognized and changes inside the container won’t persist. To use the host’s trusted CAs, mount the host’s certificates file and override the SSL_CERT_FILE environment variable.

For example, on Debian, use the following docker run command:
```
-v /etc/ssl/certs/ca-certificates.crt:/certs/ca-certificates.crt -e SSL_CERT_FILE=/certs/ca-certificates.crt
```
Configure the network agent.

Most agent configuration commands require direct communication with the agent service. Therefore, sectigona-config commands must be executed inside the running container. This command allows you to interact with the agent’s configuration directly, providing the ability to manage credential stores and other agent-specific settings.

For example, to list the available credential stores, execute the following command:
```
docker exec sectigo-network-agent sectigona-config credstore list
```

The agent should now be listed on the Network Agents page with a status of Connected.