Installing network agents
The network agent is distributed as a Windows Installer package, Linux self-extracting installer, Linux native packages, and Docker container.
Installation package | Description | Auto-update |
---|---|---|
Windows Installer |
The Windows Installer package utilizes a small bootstrap application that dynamically pulls the packages from Sectigo during installation. The bootstrap application and all Windows Installer package files (MSI) are digitally signed by Sectigo. |
Yes |
Linux self-extracting installer |
The Linux self-extracting installer is a self-contained executable that has no external dependencies. The installer performs an integrity check before extracting. |
Yes |
Linux native packages (DEB/RPM) |
The Linux native packages use Linux package managers such as APT/DNF to pull the packages from Sectigo during installation. The DEB metadata and RPM package are digitally signed by Sectigo using GPG. |
No |
Docker container |
The Docker container offers a portable, self-contained deployment without manual installation. |
No |
Installation requirements
Network agents require a number of platform-dependent permissions in order to be installed and to perform SSL certificate discovery and automatic installation.
To install a network agent on Windows, the following requirements must be satisfied:
-
Local administrator rights
-
Windows Server:
-
2016 (Standard, Datacenter)
-
2019 (Standard, Datacenter)
-
2022 (Standard, Datacenter)
-
-
Hardware:
-
CPU — 1.4GHz 64-bit (minimum)
-
RAM — 2 GB (minimum)
-
-
Network access:
If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible. -
Outbound network access to
https://dist.sectigo.com
on TCP port443
-
Outbound network access to the appropriate SCM instance on TCP port
443
:-
https://cert-manager.com
-
https://hard.cert-manager.com
-
https://eu.cert-manager.com
-
-
Certificate discovery: TCP port
443
or any port that serves up an SSL website -
Node discovery & auto installation: In addition to the general access requirements, specific ports are required based on the network agent’s connection type. The following are the default ports required for each connection type:
-
Local — N/A
-
Local (Legacy) — N/A
-
Remote (WinRM) — TCP port
5985
-
Remote (SSH) — TCP port
22
-
Remote (Legacy) — TCP ports
135
and445
-
Remote (REST) — TCP port
443
-
-
If applicable, your credential store must be accessible from the network agent machine.
-
-
(Optional) Credential store:
-
Local credential store: No additional requirements
-
HashiCorp Vault:
-
An active HashiCorp Vault instance
-
Access token or AppRole
RoleId
andSecretId
with permission to read the required secrets -
Remote server authentication credentials are stored in the HashiCorp Vault secrets engine
-
Secrets must be added as key/value pairs using the following keys:
-
username
— The username for the remote server. -
password
— The password for the remote server. This cannot be included in a secret containing aprivate_key_path
. -
private_key_path
— The path to the private key file for the remote server. This cannot be included in a secret containing apassword
. -
pass_phrase
— The passphrase for the private key file if one is configured.
-
-
-
CyberArk Vault:
-
An active CyberArk Vault instance
-
A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
-
(Certificate authentication only) A client private key and its certificate in
.p12
format -
An Application ID representing the network agent with permission to retrieve credentials
-
Remote server authentication credentials are stored in CyberArk Vault
-
-
Delinea Secret Server:
-
An active Delinea Secret Server instance
-
A user account with permission to read required secrets
-
Remote server login credentials are stored in Delinea Secret Server
-
-
To install a network agent on Linux, the following requirements must be satisfied:
-
sudo permissions
-
Linux OS:
-
CentOS Stream 8, Stream 9
-
RHEL 8.x, 9.x
-
Debian 11, 12
-
Ubuntu 18.04, 20.04, 22.04
-
-
Hardware:
-
CPU — 1.4GHz 64-bit (minimum)
-
RAM — 2 GB (minimum)
-
-
Network access:
If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible. Additionally, the ephemeral port range for local connections may vary depending on your linux distribution. -
Outbound network access to
https://dist.sectigo.com
on TCP port443
-
Outbound network access to the appropriate SCM instance on TCP port
443
:-
https://cert-manager.com
-
https://hard.cert-manager.com
-
https://eu.cert-manager.com
-
-
Certificate discovery: TCP port
443
or any port that serves up an SSL website -
Node discovery & auto installation: In addition to the general access requirements, specific ports are required based on the network agent’s connection type. The following are the default ports required for each connection type:
-
Local — N/A
-
Remote (WinRM) — TCP port
5985
-
Remote (SSH) — TCP port
22
-
Remote (REST) — TCP port
443
-
-
If applicable, your credential store must be accessible from the network agent machine.
-
-
(Optional) Credential store:
-
Local credential store: No additional requirements
-
HashiCorp Vault:
-
An active HashiCorp Vault instance
-
Access token or AppRole
RoleId
andSecretId
with permission to read the required secrets -
Remote server authentication credentials are stored in the HashiCorp Vault secrets engine
-
-
CyberArk Vault:
-
An active CyberArk Vault instance
-
A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
-
(Certificate authentication only) A client private key and its certificate in
.p12
format -
An Application ID representing the network agent with permission to retrieve credentials
-
Remote server authentication credentials are stored in CyberArk Vault
-
-
Delinea Secret Server:
-
An active Delinea Secret Server instance
-
A user account with permission to read required secrets
-
Remote server authentication credentials are stored in Delinea Secret Server
-
-
To run a network agent on Docker, the following requirement must be satisfied:
-
Docker engine installed
-
Hardware:
-
CPU — 1.4GHz 64-bit (minimum)
-
RAM — 2 GB (minimum)
-
-
Network access:
If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible. -
Outbound network access to
https://dist.sectigo.com
on TCP port443
-
Outbound network access to the appropriate SCM instance on TCP port
443
:-
https://cert-manager.com
-
https://hard.cert-manager.com
-
https://eu.cert-manager.com
-
-
Certificate discovery: TCP port
443
or any port that serves up an SSL website -
If applicable, your credential store must be accessible from the network agent machine.
-
-
(Optional) Credential store:
-
Local credential store: No additional requirements
-
HashiCorp Vault:
-
An active HashiCorp Vault instance
-
Access token or AppRole
RoleId
andSecretId
with permission to read the required secrets -
Remote server authentication credentials are stored in the HashiCorp Vault secrets engine
-
-
CyberArk Vault:
-
An active CyberArk Vault instance
-
A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
-
(Certificate authentication only) A client private key and its certificate in
.p12
format -
An Application ID representing the network agent with permission to retrieve credentials
-
Remote server authentication credentials are stored in CyberArk Vault
-
-
Delinea Secret Server:
-
An active Delinea Secret Server instance
-
A user account with permission to read required secrets
-
Remote server authentication credentials are stored in Delinea Secret Server
-
-
Add a network agent to SCM
-
Navigate to
and click the Add icon. -
In the Add Network Agent dialog, provide a name to help identify the agent.
-
Select the organization and department under which to place the agent.
-
Click Next.
-
Copy the installation token for use during installation.
-
Download the agent with the Windows or Linux Self-Extracting installation package link.
Linux native installation packages (DEB/RPM) are downloaded through the CLI as part of the installation process. -
Click Save.
The agent should now be listed on the Network Agents page with a status of Pending.
Install a network agent
-
Run the bootstrap application.
The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com. -
Read the EULA, select I agree to the license terms and conditions, and click Install.
-
Click Next.
-
Read the EULA, select I accept the terms in the License Agreement, and click Next.
-
Click Next, and paste the agent installation token.
If needed, you can retrieve the installation token from the Edit Network Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time. -
Click Next.
-
(Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.
Field Description Proxy PAC URL
The address of your proxy auto-config (PAC).
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server.
Proxy Port
The port number used by your proxy server.
Proxy Domain
(NTLM proxy authentication only) The domain for accessing the proxy server.
Proxy User
The username for accessing the proxy server, if configured to use credentials.
Proxy Password
The password for accessing the proxy server, if configured to use credentials.
-
Click Next.
-
(Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.
-
Click Next, Install, Finish, and then Close.
The agent should now be listed on the Network Agents page with a status of Connected.
For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf .
|
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores. |
-
Open the Windows command prompt.
-
In the command line, navigate to the download location of the bootstrap application.
The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com. -
Modify the installation command as needed.
.\Sectigo_Network_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=
Options without an included value are ignored. The command options are outlined in the following table.
Option Description /i
Initiates installation of the agent through the bootstrap application.
/q
Runs the installation in silent mode so no interaction is required.
PROPERTY_AUTOUPDATE
Indicates whether the agent should automatically update.
The possible values are:
-
1
(Yes) -
Empty (No)
If you do not include this command option, the default value of
1
(Yes) is applied.PROPERTY_TOKEN
The mandatory installation token.
PROPERTY_USE_PROXY
Indicates whether you are using a proxy server.
-
1
(Yes) -
Empty (No)
PROPERTY_PROXY_PAC_URL
The address of your proxy auto-config (PAC).
This file contains your proxy configuration details and can be used instead of specifying values for the
PROPERTY_PROXY_HOST
,PROPERTY_PROXY_PORT
,PROPERTY_PROXY_USER
, andPROPERTY_PROXY_PASSWORD
options.PROPERTY_PROXY_HOST
The hostname or IP address of your proxy server.
PROPERTY_PROXY_PORT
The port number used by your proxy server.
PROPERTY_PROXY_DOMAIN
(NTLM proxy authentication only) The domain for accessing the proxy server.
PROPERTY_PROXY_USER
The username for accessing the proxy server, if configured to use credentials.
PROPERTY_PROXY_PASSWORD
The password for accessing the proxy server, if configured to use credentials.
-
-
Run the modified installation command.
The agent should now be listed on the Network Agents page with a status of Connected.
For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf .
|
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores. |
-
Give execute permission to the installer binary.
chmod +x sectigo-network-agent.bin
-
Run the installer.
sudo ./sectigo-network-agent.bin
-
Accept the EULA.
-
When prompted, paste the agent installation token.
-
(Optional) Enter your proxy details based on the information provided in the following table.
Parameter Description Proxy PAC URL
The address of your proxy auto-config (PAC).
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server.
Proxy Port
The port number used by your proxy server.
Proxy Domain
(NTLM proxy authentication only) The domain for accessing the proxy server.
Proxy User
The username for accessing the proxy server, if configured to use credentials.
Proxy Password
The password for accessing the proxy server, if configured to use credentials.
-
Select if auto update should be enabled. It is enabled by default.
The agent should now be listed on the Network Agents page with a status of Connected.
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf .
|
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores. |
Linux native packages do not support auto-update. |
-
Add the GPG key to your system.
curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg
-
Verify the GPG key.
gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg
The GPG key fingerprint should match the following:
FCB9 DC04 DE50 2CBA 0F39 BFAF BFB4 716B 93A8 397B
-
Add the repository.
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null
-
Update the local package index.
sudo apt-get update
-
Install the network agent.
sudo apt-get install sectigo-network-agent
-
Configure the network agent.
sudo /opt/sectigo-network-agent/sectigona-config interactive
-
When prompted, paste the agent installation token.
-
(Optional) Enter your proxy details based on the information provided in the following table.
Parameter Description Proxy PAC URL
The address of your proxy auto-config (PAC).
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server.
Proxy Port
The port number used by your proxy server.
Proxy Domain
(NTLM proxy authentication only) The domain for accessing the proxy server.
Proxy User
The username for accessing the proxy server, if configured to use credentials.
Proxy Password
The password for accessing the proxy server, if configured to use credentials.
-
Start the network agent service.
-
SysVinit
Linux:sudo service sectigo-network-agent start
-
systemd
Linux:sudo systemctl start sectigo-network-agent
-
The agent should now be listed on the Network Agents page with a status of Connected.
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf .
|
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores. |
Linux native packages do not support auto-update. |
-
Add the repository.
sudo dnf config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo
-
Install the network agent.
sudo dnf install sectigo-network-agent
When prompted to accept the GPG key, confirm the fingerprint matches the following:
0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659
-
Configure the network agent.
sudo /opt/sectigo-network-agent/sectigona-config interactive
-
When prompted, paste the agent installation token.
-
(Optional) Enter your proxy details based on the information provided in the following table.
Parameter Description Proxy PAC URL
The address of your proxy auto-config (PAC).
This file contains your proxy configuration details and can be used instead of manually entering the values.
Proxy Host
The hostname or IP address of your proxy server.
Proxy Port
The port number used by your proxy server.
Proxy Domain
(NTLM proxy authentication only) The domain for accessing the proxy server.
Proxy User
The username for accessing the proxy server, if configured to use credentials.
Proxy Password
The password for accessing the proxy server, if configured to use credentials.
-
Start the network agent service.
-
SysVinit
Linux:sudo service sectigo-network-agent start
-
systemd
Linux:sudo systemctl start sectigo-network-agent
-
The agent should now be listed on the Network Agents page with a status of Connected.
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf .
|
A local credential store named sectigo-store is automatically created when you install a network agent. If you are interested in creating a different local store, or using a supported third-party credential store, see Configuring credential stores. |
The Docker container does not support auto-update. |
-
Create a directory on your Docker host machine for network agent data.
sudo mkdir /var/opt/network-agent-data
-
Register the network agent with the agent installation token.
docker run --rm -v /var/opt/network-agent-data:/base sectigoinc/networkagent:latest register --token <token>
-
Run the network agent.
docker run -d --name sectigo-network-agent -v /var/opt/network-agent-data:/base sectigoinc/networkagent:latest
-
Configure SSL trusted issuers.
The agent uses the certificates file inside the container image, so host trust updates are not recognized and changes inside the container won’t persist. To use the host’s trusted CAs, mount the host’s certificates file and override the
SSL_CERT_FILE
environment variable.For example, on Debian, use the following
docker run
command:-v /etc/ssl/certs/ca-certificates.crt:/certs/ca-certificates.crt -e SSL_CERT_FILE=/certs/ca-certificates.crt
-
Configure the network agent.
Most agent configuration commands require direct communication with the agent service. Therefore,
sectigona-config
commands must be executed inside the running container. This command allows you to interact with the agent’s configuration directly, providing the ability to manage credential stores and other agent-specific settings.For example, to list the available credential stores, execute the following command:
docker exec sectigo-network-agent sectigona-config credstore list
The agent should now be listed on the Network Agents page with a status of Connected.