Installing network agents
The network agent is distributed as a Windows Installer package, Linux self-extracting installer, and Linux native packages.
Installation package | Description | Auto-update |
---|---|---|
Windows Installer |
The Windows Installer package utilizes a small bootstrap application that dynamically pulls the packages from Sectigo during installation. The bootstrap application and all Windows Installer package files (MSI) are digitally signed by Sectigo. |
Yes |
Linux self-extracting installer |
The Linux self-extracting installer is a self-contained executable that has no external dependencies. The installer performs an integrity check before extracting. |
Yes |
Linux native packages (DEB/RPM) |
The Linux native packages use Linux package managers such as APT/YUM to pull the packages from Sectigo during installation. The DEB metadata and RPM package are digitally signed by Sectigo using GPG. |
No |
Installation requirements
Network agents require a number of platform-dependent permissions in order to be installed and to perform SSL certificate discovery and automatic installation.
To install a network agent on Windows, the following requirements must be satisfied:
-
Local administrator rights
-
Windows Server:
-
2012
-
2016 (Standard, Datacenter)
-
2019 (Standard, Datacenter)
-
2022 (Standard, Datacenter)
-
-
Hardware:
-
CPU — 1.4GHz 64-bit (minimum)
-
RAM — 2 GB (minimum)
-
-
Internet access:
-
Outbound network access to
https://cert-manager.com
on TCP443
-
Certificate discovery: TCP
443
(default) or any port that serves up an SSL website -
Node discovery & auto installation: TCP
135
,445
, randomly allocated high ports49152
-65535
-
To install a network agent on Linux, the following requirements must be satisfied:
-
sudo permissions
-
Linux OS:
-
CentOS 7.x, Stream 8, Stream 9
-
RHEL 7.x, 8.x, 9.x
-
Debian 10, 11
-
Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04
-
-
Hardware:
-
CPU — 1.4GHz 64-bit (minimum)
-
RAM — 2 GB (minimum)
-
-
Internet access:
-
Outbound network access to
https://cert-manager.com
on TCP443
-
Certificate discovery: TCP
443
(default) or any port that serves up an SSL website -
Node discovery & auto installation: TCP
22
(default SSH port)
-
Add a network agent to SCM
-
Navigate to
and click Add. -
In the Add Network Agent dialog, provide a name to help identify the agent.
-
Select the organization and department under which to place the agent.
-
Click Next.
-
Copy the installation token for use during installation.
-
Download the agent with the Windows or Linux Self-Extracting installation package link.
Linux native installation packages (DEB/RPM) are downloaded through the CLI as part of the installation process. -
Click Save.
The agent should now be listed on the Network Agents page with a status of Pending.

Install a network agent
-
Run the bootstrap application.
The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com. -
Read the EULA, select I agree to the license terms and conditions, and click Install.
-
Click Next.
-
Read the EULA, select I accept the terms in the License Agreement, and click Next.
-
(Optional) Specify an installation location.
-
Click Next, and paste the agent installation token.
If needed, you can retrieve the installation token from the Edit Network Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time. -
Click Next.
-
(Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.
Field Description Proxy PAC URL
The address of your proxy auto-config (PAC)
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server
Proxy Port
The port number used by your proxy server
Proxy User
The username for accessing the proxy server if configured to use credentials
Proxy Password
The password for accessing the proxy server if configured to use credentials
-
Click Next.
-
(Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.
-
Click Next, Install, Finish, and then Close.
The agent should now be listed on the Network Agents page with a status of Connected.

For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf .
|
-
Open the Windows command prompt.
-
In the command line, navigate to the download location of the bootstrap application.
The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com. -
Modify the installation command as needed.
.\Sectigo_Network_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=
Options without an included value are ignored. The command options are outlined in the following table.
Option Description /i
Initiates installation of the agent through the bootstrap application
/q
Runs the installation in silent mode so no interaction is required
PROPERTY_AUTOUPDATE
Indicates whether the agent should automatically update
The possible values are:
-
1
(Yes) -
Empty (No)
If you do not include this command option, the default value of
1
(Yes) is applied.PROPERTY_TOKEN
The mandatory installation token
PROPERTY_USE_PROXY
Indicates whether you are using a proxy server
-
1
(Yes) -
Empty (No)
PROPERTY_PROXY_PAC_URL
The address of your proxy auto-config (PAC)
This file contains your proxy configuration details and can be used instead of specifying values for the
PROPERTY_PROXY_HOST
,PROPERTY_PROXY_PORT
,PROPERTY_PROXY_USER
, andPROPERTY_PROXY_PASSWORD
options.PROPERTY_PROXY_HOST
The hostname or IP address of your proxy server
PROPERTY_PROXY_PORT
The port number used by your proxy server
PROPERTY_PROXY_USER
The username for accessing the proxy server if configured to use credentials
PROPERTY_PROXY_PASSWORD
The password for accessing the proxy server if configured to use credentials
-
-
Run the modified installation command.
The agent should now be listed on the Network Agents page with a status of Connected.

For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf .
|
-
Give execute permission to the installer binary.
chmod +x sectigo-network-agent.bin
-
Run the installer.
sudo ./sectigo-network-agent.bin
-
Accept the EULA.
-
When prompted, paste the agent installation token.
-
(Optional) Enter your proxy details based on the information provided in the following table.
Parameter Description Proxy PAC URL
The address of your proxy auto-config (PAC)
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server
Proxy Port
The port number used by your proxy server
Proxy User
The username for accessing the proxy server if configured to use credentials
Proxy Password
The password for accessing the proxy server if configured to use credentials
-
Select if auto update should be enabled. It is enabled by default.
The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf .
|
Linux native packages do not support auto-update. |
-
Add the GPG key to your system.
curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg
-
Verify the GPG key.
gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg
The GPG key fingerprint should match the following:
FCB9 DC04 DE50 2CBA 0F39 BFAF BFB4 716B 93A8 397B
-
Add the repository.
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null
-
Update the local package index.
sudo apt-get update
-
Install the network agent.
sudo apt-get install sectigo-network-agent
-
Configure the network agent.
sudo /opt/sectigo-network-agent/sectigona-config interactive
-
When prompted, paste the agent installation token.
-
(Optional) Enter your proxy details based on the information provided in the following table.
Parameter Description Proxy PAC URL
The address of your proxy auto-config (PAC)
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server
Proxy Port
The port number used by your proxy server
Proxy User
The username for accessing the proxy server if configured to use credentials
Proxy Password
The password for accessing the proxy server if configured to use credentials
-
Start the network agent service.
sudo service sectigo-network-agent start
The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf .
|
Linux native packages do not support auto-update. |
-
Add the repository.
sudo yum-config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo
-
Install the network agent.
sudo yum install sectigo-network-agent
When prompted to accept the GPG key, confirm the fingerprint matches the following:
0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659
-
Configure the network agent.
sudo /opt/sectigo-network-agent/sectigona-config interactive
-
When prompted, paste the agent install token.
-
(Optional) Enter your proxy details based on the information provided in the following table.
Parameter Description Proxy PAC URL
The address of your proxy auto-config (PAC)
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server
Proxy Port
The port number used by your proxy server
Proxy User
The username for accessing the proxy server if configured to use credentials
Proxy Password
The password for accessing the proxy server if configured to use credentials
-
Start the network agent service.
sudo service sectigo-network-agent start
The agent should now be listed on the Network Agents page with a status of Connected.

For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf .
|
Update a network agent
-
Log in to SCM.
-
From the left-hand menu, select About.
-
Click the Download Network Agent icon and select Windows.
-
(Optional) If required, move the
Sectigo_Network_Agent.exe
file to the install location of the existing network agent. -
Right-click
Sectigo_Network_Agent.exe
and click Install.The package automatically recognizes that there’s an existing version of the network agent and initiates an update instead of a new install.
-
Read the EULA, select I agree to the license terms and conditions, and click Install.
-
Click Next.
-
Read the EULA, select I accept the terms in the License Agreement, and click Next.
-
(Optional) Specify an installation location.
-
Click Next, Install, and Close.
-
Log in to SCM.
-
From the left-hand menu, select About.
-
Click the Download Network Agent icon and select Linux Self-Extracting.
-
(Optional) If required, move the
sectigo-network-agent.bin
file to the install location of the existing network agent. -
Give execute permission to the installer binary.
chmod +x sectigo-network-agent.bin
-
Run the installer.
sudo ./sectigo-network-agent.bin
-
Accept the EULA.
-
Run the update package.
yum update sectigo-network-agent
-
Run the update package.
sudo apt-get update && sudo apt install --only-upgrade sectigo-network-agent
Uninstall a network agent
-
Navigate to
. -
Search for Sectigo Network Agent.
-
Select the Sectigo Network Agent and click Uninstall.
-
(Optional) Delete the files and logs associated with the network agent.
-
Navigate to
C:\ProgramData\Sectigo
. -
Delete the
Network Agent
folder.This cannot be undone. Only delete this folder if you want to completely remove all files and logs related to the agent.
-
-
In SCM, navigate to
. -
Select the agent you want to delete.
-
Click the Delete icon.
-
Click Delete again.
-
Stop the network agent service.
sudo service sectigo-network-agent stop
-
Navigate to the
/etc/init.d
directory. -
Delete the
sectigo-network-agent
directory. -
Delete the network agent installation files.
-
Navigate to the
/opt
directory. -
Delete the
sectigo-network-agent
directory.
-
-
(Optional) Delete the files and logs associated with the network agent.
-
Navigate to the
/var/opt
directory. -
Delete the
sectigo-network-agent
directory.This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.
-
-
In SCM, navigate to
. -
Select the agent you want to delete.
-
Click Delete.
-
Click Delete again.
-
Remove the network agent.
sudo apt remove sectigo-network-agent
-
Remove the JRE.
sudo apt remove sectigo-network-agent-jre
-
(Optional) Delete the files and logs associated with the network agent.
-
Navigate to the
/var/opt
directory. -
Delete the
sectigo-network-agent
directory.This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.
-
-
In SCM, navigate to
. -
Select the agent you want to delete.
-
Click Delete.
-
Click Delete again.
-
Remove the network agent.
sudo yum remove sectigo-network-agent
-
Remove the JRE.
sudo yum remove sectigo-network-agent-jre
-
(Optional) Delete the files and logs associated with the network agent.
-
Navigate to the
/var/opt
directory. -
Delete the
sectigo-network-agent
directory.This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.
-
-
In SCM, navigate to
. -
Select the agent you want to delete.
-
Click Delete.
-
Click Delete again.
Network agent service commands
Command | Description |
---|---|
Start |
Start a network agent:
|
Stop |
Stop a network agent:
|
Query |
Query the status of a network agent:
|
Command | Description |
---|---|
Start |
Start a network agent:
|
Stop |
Stop a network agent:
|
Status |
Query the status of a network agent:
|
Command | Description |
---|---|
Start |
Start a network agent:
|
Stop |
Stop a network agent:
|
Status |
Query the status of a network agent:
|
Custom Java Runtime Environments
In some rare circumstances the default Java Runtime Sectigo packages included with the network agent might need to be customized. For example, this can happen if an HTTP proxy is using privately trusted certificates or requires authentication schemes that aren’t enabled by default.
-
Navigate to your network agent install location and open the
bin
folder.The default install location is . -
Open the
sectigonetworkagentw.exe
file. -
Select the Java tab.
-
Customize the Java Options using the information provided in the following table.
JVM Parameter Description -Djavax.net.ssl.trustStore=path_to_keystore.jks
Replaces the truststore used by the JVM when trusting SSL certificates
Can be used if HTTP proxy uses a privately trusted certificate instead of needing to modify the JVM’s truststore (cacerts)
-Djdk.http.auth.proxying.disabledSchemes=""
Reenables all authentication schemes when connecting to HTTP proxy
-Djdk.http.auth.tunneling.disabledSchemes=""
Reenables all authentication schemes when connecting to HTTP proxy using TLS
-
Click OK.
-
Create a file in
/etc/opt/sectigo-network-agent
namedstart-agent.ini
-
Enter the required JVM parameters on separate lines using the information provided in the following table.
JVM Parameter Description -Djavax.net.ssl.trustStore=path_to_keystore.jks
Replaces the truststore used by the JVM when trusting SSL certificates
Can be used if HTTP proxy uses a privately trusted certificate instead of needing to modify the JVM’s truststore (cacerts)
-Djdk.http.auth.proxying.disabledSchemes=""
Reenables all authentication schemes when connecting to HTTP proxy
-Djdk.http.auth.tunneling.disabledSchemes=""
Reenables all authentication schemes when connecting to HTTP proxy using TLS
-
Restart the service.
sudo service sectigo-network-agent stop sudo service sectigo-network-agent start