Skip to main content

Windows agent silent mode preparation

Follow the below steps to prepare for silent mode installation of DigiCert​​®​​ agents on one or more Windows servers for use with DigiCert​​®​​ Trust Lifecycle Manager.

You can prepare the silent mode installation on any Windows system. It does not need to be one of the systems where you will install a DigiCert agent.

Before you begin

You need a DigiCert® ONE service user token ID to authenticate agents for silent mode installation. See Create a service user for detailed instructions about how to create and download an API service user token ID. Make sure the service user includes the following properties:

  • Accounts that can use this service user includes your DigiCert​​®​​ Trust Lifecycle Manager account.

  • DigiCert ONE Manager access includes Trust Lifecycle.

  • Roles and permissions includes the Infrastructure admin and User and certificate manager user roles for Trust Lifecycle Manager.

Notice

You can reuse the same service user token ID to install Windows or Linux agents in silent mode. You can disable the service user after the agents are deployed.

Go

You need the latest version of Go to build the companion application for silent mode installation.

To download and install Go, refer to the official Go documentation.

Notice

64-bit versions of Windows (Win10 and above) require go1.18.5 or above.

.NET Core SDK

.NET Core SDK is a prerequisite for installing the WiX Toolset (see below).

Download and install the latest version of .NET Core SDK from the official Microsoft website.

WiX Toolset

You will use the WiX Toolset (version 4 or later) to build the MSI bundle for Windows agent silent mode installation.

To install WiX using the .NET CLI (included with .NET Core SDK), run the following command with administrator privileges:

dotnet tool install --global wix

DigiCert agent software

Download the Windows agent installer and silent mode tools from DigiCert​​®​​ Trust Lifecycle Manager:

  1. Select Discovery & automation tools > Client tools from the Trust Lifecycle Manager main menu.

  2. Select Agent - Windows installer.

  3. Use the download button on the right to download the latest version of the DigiCert agent installer for Windows. It should have a name like tlm_agent_N.N.N_win64.zip, where "N.N.N" is the agent version number.

  4. Select the Companion application link to download the companion application package (Digicert-TLM-Agent-Deployment-Companion.zip).

  5. Select the Agent deployment codes link to download the silent mode installer package for Windows (DigiCertTLMAgentGPOInstaller.zip).

To build the companion application for silent mode installation of Windows agents:

  1. Unzip the companion application package you downloaded from Trust Lifecycle Manager (Digicert-TLM-Agent-Deployment-Companion.zip).

  2. Open a terminal with administrator privileges and navigate into the unzipped Digicert-TLM-Agent-Deployment-Companion folder.

  3. Run the following command to build the companion application, replacing the {DEVKEY} parameter with your service user token ID:

    (set GOARCH=amd64) && (set GOOS=windows) && go build -o digicert-agent-deployment-companion.exe -trimpath -ldflags="-s -w -X 'main.devkey={DEVKEY}'"

    For example:

    (set GOARCH=amd64) && (set GOOS=windows) && go build -o digicert-agent-deployment-companion.exe -trimpath -ldflags="-s -w -X 'main.devkey=IWMDAWMDAWWHCNMJEWMTE5MJM1OTU5WJBXMQSWCQYDVQQGEWJVUZEXMBUGA1UECHMOVMVYAVNPZ24SIEL'"

The compiled companion application gets saved as digicert-agent-deployment-companion.exe in the Digicert-TLM-Agent-Deployment-Companion folder.

To build the MSI bundle for installing Windows agents in silent mode:

  1. Unzip the silent mode installer package you downloaded from Trust Lifecycle Manager (DigiCertTLMAgentGPOInstaller.zip).

  2. The previous step creates a folder called DigiCertTLMAgentGPOInstaller on your build system. Copy the compiled companion application file (digicert-agent-deployment-companion.exe) into this folder.

  3. Now unzip the DigiCert agent installer you downloaded from Trust Lifecycle Manager. It should have a name like tlm_agent_N.N.N_win64.zip, where "N.N.N" is the agent version number.

  4. The previous step extracts the files called DigiCert TLM Agent.exe and config.toml into your working folder. Copy these files into the same DigiCertTLMAgentGPOInstaller folder where you copied the companion application.

  5. Open a terminal session, and change into the DigiCertTLMAgentGPOInstaller folder. Run the DigiCertTLMAgentGPOInstaller-msi-build.bat in this folder to build the MSI bundle for installing the DigiCert agent software in silent mode.

Upon successful execution, the MSI bundle DigiCertTLMAgentGPOInstaller.msi is available in the DigiCertTLMAgentGPOInstaller folder.

The silent mode installer package you downloaded from Trust Lifecycle Manager (DigiCertTLMAgentGPOInstaller.zip) provides a sample script called DigiCertAgentGPOInstaller.bat to drive the agent silent mode installation process. Find this script in the unzipped DigiCertTLMAgentGPOInstaller folder.

To prepare to install the MSI bundle, update the sample DigiCertAgentGPOInstaller.bat script to supply values for the configuration parameters at the top of this file, as described below.

Configuration parameter

Required

Description

shared_path

Yes

The shared network path where you will place the MSI bundle file (DigiCertTLMAgentGPOInstaller.msi). See Step 5: Create a software distribution point.

business_unit_id

No

The GUID of the business unit to assign agents to in Trust Lifecycle Manager. Only users assigned to this business unit can manage the agents. Leave empty to allow agents to be managed by any account user with an appropriate user role.

proxy

No

Proxy settings for the agents. Leave empty if your agents don't use a proxy to connect to Trust Lifecycle Manager.

Note: DigiCert agents only support http proxies. Valid proxy formats:

  • http://proxyIP:proxyPort

  • http://username:password@proxyIP:proxyPort

alias_name

No

User-friendly name for the agents. Omit this to name the agents with the license key by default.

Examples of setting these variables at the top of the DigiCertAgentGPOInstaller.bat script:

Important

The provided DigiCertAgentGPOInstaller.bat script assumes the Windows operating system is running from the C: drive on the systems where you will install the DigiCert agent. If not, update the script to replace all references to the C: drive with the applicable drive letter where Windows is running. You cannot install the agent onto a mix of systems that run Windows from different drive letters at the same time.

Create a shared software distribution point on a server on your network that is accessible by the target systems where you want to install the DigiCert agent software:

  1. Sign in to the publishing server as an administrator.

  2. Create a shared network folder on the server and set the permissions on it to allow access from the target systems for agent installation.

  3. Copy the DigiCert agent MSI bundle (DigiCertTLMAgentGPOInstaller.msi) and silent mode installer script (DigiCertAgentGPOInstaller.bat ) that you prepared into the shared network folder.

The shared files should now be accessible over the network using a universal naming convention (UNC) path (for example, \\my-server\WindowsAgent\DigiCertTLMAgentGPOInstaller.msi and \\my-server\WindowsAgent\DigiCertAgentGPOInstaller.bat).

What's next

After completing the Windows agent silent mode preparation, you are ready to install Windows agents in silent mode on your servers.