Installing network agents

The network agent is distributed as a Windows Installer package, Linux self-extracting installer, and Linux native packages.

Installation package Description Auto-update

Windows Installer

The Windows Installer package utilizes a small bootstrap application that dynamically pulls the packages from Sectigo during installation.

The bootstrap application and all Windows Installer package files (MSI) are digitally signed by Sectigo.

Yes

Linux self-extracting installer

The Linux self-extracting installer is a self-contained executable that has no external dependencies.

The installer performs an integrity check before extracting.

Yes

Linux native packages (DEB/RPM)

The Linux native packages use Linux package managers such as APT/YUM to pull the packages from Sectigo during installation.

The DEB metadata and RPM package are digitally signed by Sectigo using GPG.

No

Installation requirements

Network agents require a number of platform-dependent permissions in order to be installed and to perform SSL certificate discovery and automatic installation.

  • Windows

  • Linux

To install a network agent on Windows, the following requirements must be satisfied:

  • Local administrator rights

  • Windows Server:

    • 2012

    • 2016 (Standard, Datacenter)

    • 2019 (Standard, Datacenter)

    • 2022 (Standard, Datacenter)

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://cert-manager.com on TCP 443

    • Certificate discovery: TCP 443 (default) or any port that serves up an SSL website

    • Node discovery & auto installation: TCP 135, 445, randomly allocated high ports 49152-65535

To install a network agent on Linux, the following requirements must be satisfied:

  • sudo permissions

  • Linux OS:

    • CentOS 7.x, Stream 8, Stream 9

    • RHEL 7.x, 8.x, 9.x

    • Debian 10, 11

    • Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04

  • Hardware:

    • CPU — 1.4GHz 64-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://cert-manager.com on TCP 443

    • Certificate discovery: TCP 443 (default) or any port that serves up an SSL website

    • Node discovery & auto installation: TCP 22 (default SSH port)

Add a network agent to SCM

  1. Navigate to Integrations  Network Agents and click Add.

    Add Network Agent
  2. In the Add Network Agent dialog, provide a name to help identify the agent.

  3. Select the organization and department under which to place the agent.

  4. Click Next.

  5. Copy the installation token for use during installation.

    Network Agent Installation Token
  6. Download the agent with the Windows or Linux Self-Extracting installation package link.

    Linux native installation packages (DEB/RPM) are downloaded through the CLI as part of the installation process.
    Network Agent download links
  7. Click Save.

The agent should now be listed on the Network Agents page with a status of Pending.

Network Agent with Pending status

Install a network agent

  • Windows

  • Windows ( CLI )

  • Linux Self-Extracting

  • Linux APT ( DEB )

  • Linux YUM ( RPM )

  1. Run the bootstrap application.

    The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.
  2. Read the EULA, select I agree to the license terms and conditions, and click Install.

  3. Click Next.

  4. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  5. (Optional) Specify an installation location.

  6. Click Next, and paste the agent installation token.

    If needed, you can retrieve the installation token from the Edit Network Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time.
  7. Click Next.

  8. (Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.

    Field Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  9. Click Next.

  10. (Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.

  11. Click Next, Install, Finish, and then Close.

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.
  1. Open the Windows command prompt.

  2. In the command line, navigate to the download location of the bootstrap application.

    The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.
  3. Modify the installation command as needed.

    .\Sectigo_Network_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=

    Options without an included value are ignored. The command options are outlined in the following table.

    Option Description

    /i

    Initiates installation of the agent through the bootstrap application

    /q

    Runs the installation in silent mode so no interaction is required

    PROPERTY_AUTOUPDATE

    Indicates whether the agent should automatically update

    The possible values are:

    • 1 (Yes)

    • Empty (No)

    If you do not include this command option, the default value of 1 (Yes) is applied.

    PROPERTY_TOKEN

    The mandatory installation token

    PROPERTY_USE_PROXY

    Indicates whether you are using a proxy server

    • 1 (Yes)

    • Empty (No)

    PROPERTY_PROXY_PAC_URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of specifying values for the PROPERTY_PROXY_HOST, PROPERTY_PROXY_PORT, PROPERTY_PROXY_USER, and PROPERTY_PROXY_PASSWORD options.

    PROPERTY_PROXY_HOST

    The hostname or IP address of your proxy server

    PROPERTY_PROXY_PORT

    The port number used by your proxy server

    PROPERTY_PROXY_USER

    The username for accessing the proxy server if configured to use credentials

    PROPERTY_PROXY_PASSWORD

    The password for accessing the proxy server if configured to use credentials

  4. Run the modified installation command.

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Windows, the network agent logs are stored in %PROGRAMDATA%\Sectigo\Network Agent\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo\Network Agent\conf.
  1. Give execute permission to the installer binary.

    chmod +x sectigo-network-agent.bin
  2. Run the installer.

    sudo ./sectigo-network-agent.bin
  3. Accept the EULA.

  4. When prompted, paste the agent installation token.

  5. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  6. Select if auto update should be enabled. It is enabled by default.

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.
Linux native packages do not support auto-update.
  1. Add the GPG key to your system.

    curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg
  2. Verify the GPG key.

    gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg

    The GPG key fingerprint should match the following:

    FCB9 DC04 DE50 2CBA 0F39  BFAF BFB4 716B 93A8 397B

  3. Add the repository.

    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null
  4. Update the local package index.

    sudo apt-get update
  5. Install the network agent.

    sudo apt-get install sectigo-network-agent
  6. Configure the network agent.

    sudo /opt/sectigo-network-agent/sectigona-config interactive
  7. When prompted, paste the agent installation token.

  8. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  9. Start the network agent service.

    sudo service sectigo-network-agent start

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.
Linux native packages do not support auto-update.
  1. Add the repository.

    sudo yum-config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo
  2. Install the network agent.

    sudo yum install sectigo-network-agent

    When prompted to accept the GPG key, confirm the fingerprint matches the following:

    0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659

  3. Configure the network agent.

    sudo /opt/sectigo-network-agent/sectigona-config interactive
  4. When prompted, paste the agent install token.

  5. (Optional) Enter your proxy details based on the information provided in the following table.

    Parameter Description

    Proxy PAC URL

    The address of your proxy auto-config (PAC)

    This file contains your proxy configuration details and can be used instead of manually entering the values.

    Proxy Host

    The hostname or IP address of your proxy server

    Proxy Port

    The port number used by your proxy server

    Proxy User

    The username for accessing the proxy server if configured to use credentials

    Proxy Password

    The password for accessing the proxy server if configured to use credentials

  6. Start the network agent service.

    sudo service sectigo-network-agent start

The agent should now be listed on the Network Agents page with a status of Connected.

Network Agent with Connected status
For Linux, the network agent logs are stored in /var/opt/sectigo-network-agent/logs and the configuration files are stored in /var/opt/sectigo-network-agent/conf.

Update a network agent

  • Windows

  • Linux Self-Extracting

  • Linux YUM ( RPM )

  • Linux APT ( DEB )

  1. Log in to SCM.

  2. From the left-hand menu, select About.

  3. Click the Download Network Agent icon and select Windows.

  4. (Optional) If required, move the Sectigo_Network_Agent.exe file to the install location of the existing network agent.

  5. Right-click Sectigo_Network_Agent.exe and click Install.

    The package automatically recognizes that there’s an existing version of the network agent and initiates an update instead of a new install.

  6. Read the EULA, select I agree to the license terms and conditions, and click Install.

  7. Click Next.

  8. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  9. (Optional) Specify an installation location.

  10. Click Next, Install, and Close.

  1. Log in to SCM.

  2. From the left-hand menu, select About.

  3. Click the Download Network Agent icon and select Linux Self-Extracting.

  4. (Optional) If required, move the sectigo-network-agent.bin file to the install location of the existing network agent.

  5. Give execute permission to the installer binary.

    chmod +x sectigo-network-agent.bin
  6. Run the installer.

    sudo ./sectigo-network-agent.bin
  7. Accept the EULA.

  1. Run the update package.

    yum update sectigo-network-agent
  1. Run the update package.

    sudo apt-get update && sudo apt install --only-upgrade sectigo-network-agent

Uninstall a network agent

  • Windows

  • Linux Self-Extracting

  • Linux APT ( DEB )

  • Linux YUM ( RPM )

  1. Navigate to Settings  Apps & features.

  2. Search for Sectigo Network Agent.

  3. Select the Sectigo Network Agent and click Uninstall.

  4. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to C:\ProgramData\Sectigo.

    2. Delete the Network Agent folder.

      This cannot be undone. Only delete this folder if you want to completely remove all files and logs related to the agent.
  5. In SCM, navigate to Integrations  Network Agents.

  6. Select the agent you want to delete.

  7. Click the Delete icon.

  8. Click Delete again.

  1. Stop the network agent service.

    sudo service sectigo-network-agent stop
  2. Navigate to the /etc/init.d directory.

  3. Delete the sectigo-network-agent directory.

  4. Delete the network agent installation files.

    1. Navigate to the /opt directory.

    2. Delete the sectigo-network-agent directory.

  5. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-network-agent directory.

      This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.
  6. In SCM, navigate to Integrations  Network Agents.

  7. Select the agent you want to delete.

  8. Click Delete.

  9. Click Delete again.

  1. Remove the network agent.

    sudo apt remove sectigo-network-agent
  2. Remove the JRE.

    sudo apt remove sectigo-network-agent-jre
  3. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-network-agent directory.

      This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.
  4. In SCM, navigate to Integrations  Network Agents.

  5. Select the agent you want to delete.

  6. Click Delete.

  7. Click Delete again.

  1. Remove the network agent.

    sudo yum remove sectigo-network-agent
  2. Remove the JRE.

    sudo yum remove sectigo-network-agent-jre
  3. (Optional) Delete the files and logs associated with the network agent.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-network-agent directory.

      This cannot be undone. Only delete this directory if you want to completely remove all files and logs related to the agent.
  4. In SCM, navigate to Integrations  Network Agents.

  5. Select the agent you want to delete.

  6. Click Delete.

  7. Click Delete again.

Network agent service commands

  • Windows

  • DEB

  • RPM

Command Description

Start

Start a network agent:

sc start SectigoNetworkAgent

Stop

Stop a network agent:

sc stop SectigoNetworkAgent

Query

Query the status of a network agent:

sc query SectigoNetworkAgent
Command Description

Start

Start a network agent:

sudo service sectigo-network-agent start

Stop

Stop a network agent:

sudo service sectigo-network-agent stop

Status

Query the status of a network agent:

sudo service sectigo-network-agent status
Command Description

Start

Start a network agent:

sudo systemctl start sectigo-network-agent

Stop

Stop a network agent:

sudo systemctl stop sectigo-network-agent

Status

Query the status of a network agent:

sudo systemctl status sectigo-network-agent

Custom Java Runtime Environments

In some rare circumstances the default Java Runtime Sectigo packages included with the network agent might need to be customized. For example, this can happen if an HTTP proxy is using privately trusted certificates or requires authentication schemes that aren’t enabled by default.

  • Windows

  • Linux

  1. Navigate to your network agent install location and open the bin folder.

    The default install location is Local Disk (C:)  Program Files  Sectigo  Network Agent.
  2. Open the sectigonetworkagentw.exe file.

  3. Select the Java tab.

  4. Customize the Java Options using the information provided in the following table.

    JVM Parameter Description

    -Djavax.net.ssl.trustStore=path_to_keystore.jks

    Replaces the truststore used by the JVM when trusting SSL certificates

    Can be used if HTTP proxy uses a privately trusted certificate instead of needing to modify the JVM’s truststore (cacerts)

    -Djdk.http.auth.proxying.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy

    -Djdk.http.auth.tunneling.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy using TLS

  5. Click OK.

  1. Create a file in /etc/opt/sectigo-network-agent named start-agent.ini

  2. Enter the required JVM parameters on separate lines using the information provided in the following table.

    JVM Parameter Description

    -Djavax.net.ssl.trustStore=path_to_keystore.jks

    Replaces the truststore used by the JVM when trusting SSL certificates

    Can be used if HTTP proxy uses a privately trusted certificate instead of needing to modify the JVM’s truststore (cacerts)

    -Djdk.http.auth.proxying.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy

    -Djdk.http.auth.tunneling.disabledSchemes=""

    Reenables all authentication schemes when connecting to HTTP proxy using TLS

  3. Restart the service.

    sudo service sectigo-network-agent stop
    sudo service sectigo-network-agent start