Quick start: Deploy a DigiCert agent — Windows
Introduction
This guide covers the basic steps needed to install and activate the DigiCert® agent software on a Windows system.
The agent is DigiCert’s native client for discovering and managing certificates on servers. You need to install an agent on each server system to use the following features in DigiCert® Trust Lifecycle Manager:
System-based discovery scans: Scan both OS certificate stores and the local file system for end-entity certificates.
Certificate management: Manage certificates for common web servers and custom applications.
Certificate delivery: Deliver certificates using the
Admin web requestfeature, including custom post-script support.
Agents use a pull communication model to synchronize with Trust Lifecycle Manager over outbound port 443 (HTTPS). They do not require inbound access. Each agent can keep itself updated as new software versions get released to reduce the need for ongoing maintenance.
Before you begin
Before installing the Windows version of the agent, verify the following:
System requirements
Your environment must have at least a minimal installation of a supported operating system.
Server type | Supported OS version | Minimum specifications |
|---|---|---|
Windows |
|
|
Network requirements
To connect to Trust Lifecycle Manager, the agent requires outbound access to HTTPS (TCP port 443) on the two DigiCert® ONE platform URLs in one of the following regions.
In addition to platform access, the agent requires outbound access to HTTPS (TCP port 443) on the following automation and discovery service URLs.
Loopback ports
The agent binds to the following loopback ports on the local host. To adjust the loopback port numbers for an installed agent, edit the applicable configuration file/parameter in the agent conf sub-directory and restart the agent service.
Loopback ports | Description | Agent conf file | Configuration parameter |
|---|---|---|---|
58080 | Local communications port for the plugin manager process used to manage certificate delivery events for Trust Lifecycle Manager. | config.toml | |
61613 | Local communications port for Simple (or Streaming) Text Oriented Messaging Protocol (STOMP). Used for message queuing between the main agent process and the plugin manager process. | config.toml | |
Let op
Loopback ports do not require any access rules on the local firewall.
Deployment workflow
To deploy the DigiCert agent software on a Windows system, complete these tasks:
To download the Windows agent software and generate an activation key in Trust Lifecycle Manager:
From the Trust Lifecycle Manager main menu, select Discovery & automation tools > Client tools.
Select Agent - Windows installer.
Use the download button on the right to download the latest version of the DigiCert agent installer for Windows.
To get an activation code, select the Generate activation code button under Requirements. In the popup dialog that opens:
(Optional) Select a Business unit to assign the agent to. If you make a selection here, only users assigned as administrators for that business unit can manage the agent.
(Optional) Under Share the code, select a user to send the activation code to via email. For example, select an admin who will install the agent software.
Select the Generate the code button. Copy the code so you can use it to install the agent or provide it to the person who will perform the installation.
Let op
The activation code is valid for 30 minutes and is for one-time use only. If it expires, repeat the process to generate a new one.
To install and activate the agent software on a Windows server:
Unzip the installer you downloaded and run the DigiCert TLM Agent executable as an administrator.
Select the button to Install the agent. Follow the prompts to install the agent.
When prompted, select to confirm that I have the activation code.
When prompted, select how the agent will connect to Trust Lifecycle Manager:
Direct, no proxy: If the agent will connect directly.
My own proxy server: If connecting through a third-party proxy server. You are prompted to enter the proxy server details.
DigiCert sensor as proxy: If using a DigiCert sensor as a proxy server. You are prompted to enter the sensor details.
On the activation screen, enter the Activation code you generated. Optionally, assign a custom name to the agent to help identify it in Trust Lifecycle Manager.
On the final screen, select whether to start the agent service now. The agent service needs to be running in order to discover and automate certificates on the host.
Return to the Trust Lifecycle Manager web console to verify that the installed agent is ready for use:
From the Trust Lifecycle Manager menu, select Discovery & automation tools > Agents.
You should see the agent you installed listed in the table.
The Status column lists the current status of the agent. An agent that's installed and ready to use should show Active.
Let op
If your agent does not appear in the table or does not show the Active status, refer to Troubleshoot agents for troubleshooting help.
What's next
With an active DigiCert agent installed on a server in your network, you can use Trust Lifecycle Manager to:
Set up system scans to scan both OS certificate stores and the local file system for certificate files. Certificates found during these scans added to the certificate inventory for continuous monitoring and tracking.
Enable certificate lifecycle automation on the host systems.
Enroll certificates from different issuing CAs with automated delivery to external systems.
Customize certificate processing on your servers using agent scripts.