How do I install the Sectigo Network Agent?

Overview

Sectigo Network agents are installed on your network for use in SSL web server certificate discovery and the automated request and installation of SSL certificates. The certificate will have an expiration of 90 days.

Currently Supported Solutions - Web Servers

  • Apache HTTP Server
  • Apache Tomcat
  • Microsoft IIS

Please note that an installation token will be needed during installation and will be given in the ticket request. It's an one time use only per Sectigo Nework Agent.

Installation Requirements for Windows 

To install a network agent on Windows, the following requirements must be satisfied:

  • Local administrator rights
  • Windows Server:
    • 2012
    • 2016 (Standard, Datacenter)
    • 2019 (Standard, Datacenter)
    • 2022 (Standard, Datacenter)
  • Hardware:
    • CPU — 1.4GHz 64-bit (minimum)
    • RAM — 2 GB (minimum)
  • Internet access:
    • Outbound network access to https://dist.sectigo.com on TCP port 443
    • Outbound network access to the appropriate SCM instance on TCP port 443:
      • https://cert-manager.com
      • https://hard.cert-manager.com
      • https://eu.cert-manager.com
    • Certificate discovery: TCP port 443 (default) or any port that serves up an SSL website
    • Node discovery & auto installation: TCP ports 135445,and randomly allocated high ports 49152-65535

Installation Requirements for Linux

To install a network agent on Linux, the following requirements must be satisfied:

  • sudo permissions
  • Linux OS:
    • CentOS 7.x, Stream 8, Stream 9
    • RHEL 7.x, 8.x, 9.x
    • Debian 10, 11, 12
    • Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04
  • Hardware:
    • CPU — 1.4GHz 64-bit (minimum)
    • RAM — 2 GB (minimum)
  • Internet access:
    • Outbound network access to https://dist.sectigo.com on TCP port 443
    • Outbound network access to the appropriate SCM instance on TCP port 443:
      • https://cert-manager.com
      • https://hard.cert-manager.com
      • https://eu.cert-manager.com
    • Certificate discovery: TCP port 443 (default) or any port that serves up an SSL website
    • Node discovery & auto installation: TCP port 22 (default SSH port)

Install a Network Agent for Windows 

  1. Run the bootstrap application - https://uofi.box.com/v/sectigo-agent-windows

      The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com.

  2. Read the EULA, select I agree to the license terms and conditions, and click Install.

  3. Click Next.

  4. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  5. (Optional) Specify an installation location.

  6. Click Next, and paste the agent installation token.

      If needed, you can retrieve the installation token from the Edit Network Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time.
    lick Next.

  7. (Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.

  8. Click NextInstallFinish, and then Close.

The agent should now be listed on the Network Agents page with a status of Connected.

Install a Network Agent for Linux

Please note that Linux native packages do not support auto-update

  1. Add the repository.

    sudo yum-config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo

  2. Install the network agent.

    sudo yum install sectigo-network-agent

    When prompted to accept the GPG key, confirm the fingerprint matches the following:

    0541 9789 e34e be6e e3d3 6096 5097 8649 30a7 d659

  3. Configure the network agent.

    sudo /opt/sectigo-network-agent/sectigona-config interactive

  4. When prompted, paste the agent install token.

  5. Start the network agent service.

    • SysVinit Linux:

      sudo service sectigo-network-agent start

    • systemd Linux:

      sudo systemctl start sectigo-network-agent

The agent should now be listed on the Network Agents page with a status of Connected.

The network agent should discover the node and a certificate in the server, if not, please follow the instructions below:

  • Run these two commands BEFORE restarting httpd to troubleshoot fix: 

    • sudo chcon -t cert_t /var/opt/sectigo-network-agent/ks/* 
    • ls -lZ /var/opt/sectigo/ks/* 
       
  • Check perms, if the file type is not cert_t, then httpd will fail to start. 

  • If httpd successfully starts, then run these two commands to fix it permanently 

    • semanage fcontext -a -t cert_t "/var/opt/sectigo-network-agent/ks(/.*)?" 
    • restorecon -v -r "/var/opt/sectigo-network-agent/ks" 

  • Create a daily cronjob for restorecon to ensure the file type is correct when a new cert is issued

 

Print Article