Before installing a DigiCert® agent, verify the system and network requirements. The agent must be installed on the server system that hosts the certificates to discover and manage through DigiCert® Trust Lifecycle Manager.
Important
To avoid conflicts, do not install a DigiCert sensor and agent on the same system. Use a dedicated host for the sensor.
The DigiCert agent software runs on Windows and Linux servers with the following requirements:
Server type | Supported OS versions | Minimum specifications |
|---|---|---|
Windows |
|
|
Linux |
|
|
The DigiCert agent on each host must be able to resolve the fully qualified domain names (FQDNs) for the local web server, either via DNS or a local "hosts" file.
To connect to Trust Lifecycle Manager, the agent requires outbound to the two DigiCert platform URLs in one of the following regions:
Region
Platform URLs1
TCP port
Protocol
Americas (U.S.A.)
one.digicert.com,clientauth.one.digicert.com443
HTTPS
APJ (Japan)
one.digicert.co.jp,clientauth.one.digicert.co.jp443
HTTPS
EMEA (Netherlands)
one.nl.digicert.com,clientauth.one.nl.digicert.com443
HTTPS
EMEA (Switzerland)
one.ch.digicert.com,clientauth.one.ch.digicert.com443
HTTPS
1. For users with an on-premises DigiCert ONE deployment, the agent needs to access port 443 (HTTPS) on the local DigiCert ONE instance and ClientAuth host (for example, my-org.one.digicert.com and my-org.clientauth.digicert.com).
In addition, the agent requires outbound access to the below host for Trust Lifecycle Manager discovery and automation services:
Region
URL
TCP port
Protocol
All regions
automation-service.digicert.com1443
HTTPS
1. This service is delivered through a content distribution network (CDN) and the IP addresses may vary by region. If your organization uses IP-based allowlists, look up the automation-service.digicert.com host in your local region to determine which IP addresses to allow.
Notice
If using a local DigiCert® sensor as proxy, the agent must also be able to connect outbound to the proxy listening port on the sensor. To learn more, see Use a sensor as a proxy server.
The agent binds to the following loopback port(s) on the local host. To adjust the loopback port numbers for an installed agent, edit the applicable configuration file/parameter in the agent conf sub-directory and restart the agent service.
Loopback port | Description | Agent conf file | Configuration parameter |
|---|---|---|---|
58080 | Local communications port for the plugin manager process used to manage certificate delivery events for Trust Lifecycle Manager. | config.toml |
|
61613 | Local communications port for Simple (or Streaming) Text Oriented Messaging Protocol (STOMP). Used for message queuing between the main agent process and the plugin manager process. | config.toml |
|
To install an agent on a single server, see: Install and activate a DigiCert agent.
To bulk install agents on multiple servers at once, see: Install DigiCert agents in silent mode.
If your organization has a private on-premises instance of DigiCert ONE, make sure you meet the additional requirements to use DigiCert agents for certificate lifecycle automation.