DigiCert agents and sensors
DigiCert® Trust Lifecycle Manager uses two helper applications called agents and sensors to automate certificate lifecycle tasks and maintain complete visibility of your certificate ecosystem.
Aviso
Key points:
Agents aren’t sensors, and sensors aren’t agents; each performs a separate function in the Trust Lifecycle Manager ecosystem.
Agents are installed on local servers and operate at the system level. They perform discovery and automation tasks directly on the managed system. For more details, see Agent functions.
Sensors are installed on dedicated network hosts and operate at the network level. They act as DigiCert's secure gateway in the target network, enabling remote discovery and automation operations, network-based integrations, and proxy services. For more details, see Sensor functions.
This illustration shows how agents and sensors connect to Trust Lifecycle Manager to manage certificate operations across local server systems and network environments.
Overview
Agents
A DigiCert® Agent is an application that you install on a server or device, and is designed to operate locally on that system. Agents communicate with Trust Lifecycle Manager to securely generate keys and manage certificate operations on that specific server.
An agent must be installed on each server to use the following features:
Local certificate discovery through system-based discovery scans.
System-level automation to deliver, install, and manage certificates for server applications, including custom post-script support.
Sensors
A DigiCert® Sensor is an application that you install on a dedicated host in your network and operates at the network level. Sensors communicate with Trust Lifecycle Manager to securely scan your infrastructure. They keep your certificates up to date by automating certificate lifecycle across network appliances and cloud services.
A sensor must be installed on a dedicated network host to enable the following capabilities:
Network-based certificate discovery through network scans and connectors.
Network-level automation to deliver, install, and manage certificates for network appliances and cloud services.
Integrate on-premises or non-DigiCert CAs using network-based connectors.
Proxy services for agents and other clients to request certificates from Trust Lifecycle Manager, including failover support for agents.
Nota
While a sensor isn’t a type of connector, connectors rely on sensors to facilitate communication and integrate with various external services and systems.
Quick glance: Agents vs. sensors
Use this table to understand how agents and sensors compare in scope and functionality.
Agents | Sensors | |
|---|---|---|
Scope | System | Network/gateway |
Installation | Installed on systems running web server applications on Windows or Linux. | Installed on dedicated hosts running Windows, Docker, or Linux within your network. |
Discovery | Scans applications on the local system for certificates. | Scans appliances, cloud providers, and CA's using connectors. |
Automation | Install, manage, and deliver certificates to web servers and run custom pre- and post-installation scripts. | Install, manage, and deliver certificates to network appliances and cloud services. |
Proxy capabilities | Can act as a proxy client, using a sensor to connect to Trust Lifecycle Manager. | Can proxy certificate requests for agents and clients using ACME, EST, and SCEP protocols. |
Network-based integrations | — | Enables integration with network appliances, cloud services, and CA systems. |
Agent functions
System scanning
An agent can scan both OS certificate stores and the local file system for certificate files. Any certificates found during these scans are reported to Trust Lifecycle Manager and added to the certificate inventory for continuous monitoring and tracking. The discovered certificates can be placed under automated management to avoid downtime and ensure you always have valid certificates installed on your web servers.
For more details, see System scans.
Manage certificates on web servers
Managing certificates on web servers is a core function of an agent. An agent scans the host to identify supported web server applications and their certificates. It then relays this information back to Trust Lifecycle Manager based on the configured settings. After that, automation tasks to request, install, and track new certificates are initiated from a profile configured for agent-based enrollment using the ACME protocol. The agent continuously monitors these certificates and can renew them automatically.
For more details, see Managed automation solution.
Certificate delivery
An agent can generate a key pair and securely deliver a certificate to a server using the Admin web request feature in Trust Lifecycle Manager. By default, the key and certificates are stored in a .secrets folder within the directory where the agent is installed. You can also configure post-delivery scripts, which allow the agent to install or deploy certificates as needed after delivery.
For more details, see Request a new certificate with automated delivery.
Sensor functions
Network scanning
A sensor can run network-based scans across defined network segments to securely identify and inventory all TLS/SSL certificates throughout your network infrastructure. This capability enables Trust Lifecycle Manager to detect unmanaged certificates and maintain an accurate inventory of all deployed certificates.
For more details, see Network scans.
Manage certificates on network appliances and cloud services
Sensors manage certificates on network appliances such as load balancers, and cloud services such as Amazon Web Services (AWS) and Google Cloud Platform (GCP). Sensors connect to these systems over the network using secure methods including SSH and API/HTTPS. This enables Trust Lifecycle Manager to discover, manage, deliver, and install certificates on network-based platforms that can’t run agents.
For more details, Managed automation solution.
Network proxy
A sensor can act as a network proxy for DigiCert® agents and other clients using ACME, EST, and SCEP protocols. This allows them to communicate with Trust Lifecycle Manager through a single outbound connection instead of each system connecting individually. Sensors also include a built-in proxy server that enables failover support for agents. When multiple sensors are deployed as proxies, agents automatically switch to an alternate sensor when the primary connection fails.
For more details, see Use a sensor as a proxy server.
Cloud connector
Sensors facilitate connections to cloud-based services, CAs, key vaults, and other external integrations with Trust Lifecycle Manager. Many cloud-based services restrict or limit inbound connections preventing Trust Lifecycle Manager from connecting directly. To address this, you can configure a sensor as a connector (bridge) between Trust Lifecycle Manager and the service. This ensures that these service integrations work as expected and remain compliant with all requirements.
For more details, see Connectors.