Sensor installation requirements

Before you install a sensor on a computer in your network, verify the computer meets the minimum hardware and software requirements. DigiCert sensors also have deployment and network requirements that must be met before you run your first scan.

Network requirements

To successfully configure a sensor, the host names for the sensor’s host device must be resolvable.

For example, to resolve the host name on a Red Hat Enterprise Linux server, you add it to /etc/hosts (for non-standard configurations).

The sensor host must be able to access the CertCentral cloud service and your targeted IP address.

CertCentral cloud service

Sensors must be able to communicate with CertCentral cloud to receive instructions on when to run scans and to send inventory updates when new certificates are discovered.

  • Outbound HTTPS (port 443)
    For direct or proxy access communications with the CertCentral cloud service, a sensor host must have access to the outbound HTTPS (port 443).
    Note: If you have a previous version sensor (v3.8.25 or before) installed, make sure it has access to the outbound HTTP (port 80) and HTTPS (port 443).
  • CertCentral cloud service IP address
    If you're using a firewall, you need to open the firewall to IP range: 216.168.244.42. Failing to do this blocks the sensor from relaying scan information to Discovery in CertCentral.
  • Localhost
    For local machines, the sensor must have access to port 10323 to loopback. If port 10323 is used by another software, the sensor automatically redirects to the port available from the given range (10323–10373). To configure the sensor of your choice, update the cli.properties file located in <SensorInstllationDirectory>/config/cli.properties, and run the start command.

Target IP addresses

The firewall rules or Access Control Lists must allow the sensor to reach the target IP addresses you want scanned.

Proxy server communications

For a scan to run successfully, its sensor must be able to communicate with the CertCentral cloud service to receive instructions associated with certificate discovery and to report on certificate inventory updates. See Configure a sensor to use a proxy server for communications.

Docker containers and network interfaces

Docker sensor containers use a bridge network by default. A docker network is associated with a bridge interface on the host, and firewall rules are defined to filter traffic between these interfaces.

Docker containers that share the same docker network and host bridge interface but are isolated from each other by the firewall can communicate with each other using the bridge network.

To view a list of Docker interfaces, run docker network ls.

To get information about Docker interfaces, run docker inspect <docker_container_ID> | grep sensor.

The proxy configuration for the sensor enables the sensor to communicate with CertCentral cloud service. The proxy configuration is not for enabling the sensor to scan a host.

Deployment requirements

Install the sensor where it can access the fully qualified domain names (FQDNs) and IP addresses you want scanned. We recommend installing one sensor per uninterrupted network segment.

You only need additional sensors if your network:

  • Is segmented by firewalls or routers.
  • Has multiple LANs or network segments.

Additional sensors may also be useful when scanning a large number of IP addresses and ports. Splitting large IP ranges across multiple scans allows you to decrease the impact of scans on your network resources and to complete scans more quickly.

Hardware and software requirements

Red Hat Enterprise Linux 6.x, 7.x, 8.x, and Ubuntu 20.04 or later

  • Root privileges
  • 64-bit version and US locale required
  • 2 GB RAM (4GB RAM recommended)
  • 2 GB free disk space (minimum)

Microsoft Windows 8, 8.1, 10, Server 2012, 2016, and 2019

  • Run as administrator
  • 64-bit version
  • Microsoft .NET Framework 4.x
  • 2 GB RAM (4GB RAM recommended)
  • 2 GB free disk space (minimum)

Docker Engine 18.06.3 or later

  • Admin access
  • 64-bit version
  • 2 GB RAM (4GB RAM recommended)
  • 2 GB free disk space (minimum)