DigiCert® sensors include a built-in proxy server for DigiCert® agents and other clients to connect to and request certificates from DigiCert® Trust Lifecycle Manager.
The proxy server feature is enabled by default on sensors. It provides a transparent HTTP proxy with support for well-known certificate enrollment protocols including ACME, EST, and SCEP.
Aviso
On networks with multiple DigiCert sensors installed and used as proxies, DigiCert agents are designed to automatically fail over and try another sensor as proxy if there’s an issue connecting to the primary sensor.
The sensor proxy service provides transparent HTTP-based proxy access to Trust Lifecycle Manager.
The sensor forwards encrypted HTTPS/SSL traffic from local proxy clients to Trust Lifecycle Manager, but cannot decrypt such traffic itself and does not support advanced protocols such as HTTP/2 or TLS-ALPN.
The sensor proxy server is enabled by default, with the following settings:
Listens on TCP port 48999.
Allows outbound proxy access to the digicert.com domain.
The following files in the sensor installation config sub-directory on the sensor host configure the active proxy server settings.
File | Description |
|---|---|
webserver.properties | Configures the IP address and TCP port the sensor listens on for proxy clients, via the following parameters:
|
useproxy.properties | Configures the allowed domains and hostnames for outbound proxy access.
|
To update the TCP port number where the sensor listens for proxy clients, use one of the following methods:
In the Trust Lifecycle Manager web console, go to the Discovery & automation tools > Sensors page to edit the sensor and configure a new proxy listening port.
Update the
heartbeatportparameter in the webserver.properties configuration file on the sensor host, then restart the sensor service.
To update the active IP address(es) or allowed domains/hostnames for proxy client access, edit the configuration files on the sensor host and then restart the sensor service.
To connect to the sensor proxy server:
Proxy clients need basic IP network connectivity to the sensor host.
The firewall on the sensor host must allow access to the sensor proxy IP address(es) and TCP port.
Dica
The sensor proxy server is enabled by default. After installing a sensor, open default TCP port 48999 on the sensor host's firewall to start allowing proxy client access with the default settings.
During installation of a DigiCert agent, when prompted to configure proxy client settings, select the DigiCert sensor as proxy option. Enter the sensor IP address and proxy listening port on the following screen.
For silent mode installation of multiple agents in bulk, configure the IP address and port of the sensor to use as proxy in the installation script (Windows agents) or installation command (Linux agents).
Once an agent is connected, Trust Lifecycle Manager keeps it updated with the list of all available sensors in your account. If there are multiple sensors, and the primary one fails, the agent will try using another sensor as a proxy to maintain fault-tolerant connectivity to Trust Lifecycle Manager.
Other clients can connect to the sensor proxy server using the format http://{sensor-host}:{port} for either the HTTP or HTTPS proxy host.
For example, if the sensor has IP address 10.1.2.3 and listens on proxy server port 48999, then proxy clients should use http://10.1.2.3:48999 to connect.
For clients that do not accept a proxy host argument on the command line, use environment variables or client settings to configure the sensor proxy server. For example, the following environment variables specify the proxy host on Linux systems:
HTTP_PROXY=http://10.1.2.3:48999
HTTPS_PROXY=http://10.1.2.3:48999The following examples show how to request certificates through different enrollment protocols and clients, using an intermediate DigiCert sensor as a proxy server to connect to Trust Lifecycle Manager.
In these examples, the sensor has IP address 10.1.2.3 and listens on the default proxy server port 48999.
To use a sensor as proxy with the Certbot ACME client, specify the proxy host settings as environment variables before requesting a certificate from Trust Lifecycle Manager. For example:
export HTTP_PROXY=http://10.1.2.3:48999 export HTTPS_PROXY=http://10.1.2.3:48999 certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_public_webserver_config/ -d example.com -d www.example.com --manual --preferred-challenges dns
This example shows how you might send an EST-based enrollment request via Curl on a Windows system, using an intermediate DigiCert sensor as a proxy to relay the request to Trust Lifecycle Manager. The Curl client accepts a proxy command argument to specify the proxy server details.
curl.exe --insecure --proxy "http://10.1.2.3:48999" "https://one.digicert.com/mpki/api/v1/.well-known/est/4f3c11e5-ca1c-4a06-be3c-8ce8d5a1a5e3/simpleenroll" --http1.1 --no-alpn --no-npn -X "POST" --header "Authorization: Basic zVEVTVDEyMzQ1z" --header "Content-Type: text/plain" --data-binary "@./request.csr" -o "sensortest03.der.p7b" -v
This example shows how you could use the DigiCert SCEP client on a Windows system to request a certificate from Trust Lifecycle Manager using a sensor as proxy. The DigiCert SCEP client accepts proxy host settings as command arguments.
java.exe -Dhttp.proxyHost=10.1.2.3 -Dhttp.proxyPort=48999 -Dhttps.proxyHost=10.1.2.3 -Dhttps.proxyPort=48999 -jar C:\DigiCertSCEPClient-1.1\DigiCertSCEPClient.jar -url http://one.digicert.com/mpki/api/v1/scep/6816fe25-9c99-499e-9955-f9d8e0888f14/cgi-bin/pkiclient.exe -operation enroll -csr .\example.csr -debug true
Aviso
The Java-based DigiCert SCEP client is for testing purposes only and not intended for use in production environments. For other SCEP clients, refer to the documentation to learn how to specify the proxy host and other options.