Quick start: Deploy a DigiCert agent — Linux
Introduction
This guide covers the basic steps needed to install and activate the DigiCert® agent software on a Linux system.
The agent is DigiCert’s native client for discovering and managing certificates on servers. You need to install an agent on each server system to use the following features in DigiCert® Trust Lifecycle Manager:
System-based discovery scans: Scan both OS certificate stores and the local file system for end-entity certificates.
Certificate management: Manage certificates for common web servers and custom applications.
Certificate delivery: Deliver certificates using the
Admin web requestfeature, including custom post-script support.
Agents use a pull communication model to synchronize with Trust Lifecycle Manager over outbound port 443 (HTTPS). They do not require inbound access. Each agent can keep itself updated as new software versions get released to reduce the need for ongoing maintenance.
Before you begin
Before installing the Linux version of the agent, verify the following
System requirements
Your environment must have at least a minimal installation of a supported operating system.
Server type | Supported OS version | Minimum specifications |
|---|---|---|
Linux |
|
|
Network requirements
To connect to Trust Lifecycle Manager, the agent requires outbound access to HTTPS (TCP port 443) on the two DigiCert® ONE platform URLs in one of the following regions.
In addition to platform access, the agent requires outbound access to HTTPS (TCP port 443) on the following automation and discovery service URLs.
Loopback ports
The agent binds to the following loopback ports on the local host. To adjust the loopback port numbers for an installed agent, edit the applicable configuration file/parameter in the agent conf sub-directory and restart the agent service.
Loopback ports | Description | Agent conf file | Configuration parameter |
|---|---|---|---|
58080 | Local communications port for the plugin manager process used to manage certificate delivery events for Trust Lifecycle Manager. | config.toml | |
61613 | Local communications port for Simple (or Streaming) Text Oriented Messaging Protocol (STOMP). Used for message queuing between the main agent process and the plugin manager process. | config.toml | |
Note
Loopback ports do not require any access rules on the local firewall.
Deployment workflow
To deploy the DigiCert agent software on a Linux system, complete these tasks:
To download the Linux agent software and generate an activation key in Trust Lifecycle Manager:
From the Trust Lifecycle Manager main menu, select Discovery & automation tools > Client tools.
Select Agent - Linux installer.
Use the download button on the right to download the latest version of the DigiCert agent installer for Linux.
To get an activation code, select the Generate activation code button under Requirements. In the popup dialog that opens:
(Optional) Select a Business unit to assign the agent to. If you make a selection here, only users assigned as administrators for that business unit can manage the agent.
(Optional) Under Share the code, select a user to send the activation code to via email. For example, select an admin who will install the agent software.
Select the Generate the code button. Copy the code so you can use it to install the agent or provide it to the person who will perform the installation.
Note
The activation code is valid for 30 minutes and is for one-time use only. If it expires, repeat the process to generate a new one.
Important
To avoid issues, DigiCert recommends installing the agent software in the /opt directory on Linux. Do not install the agent in the /tmp directory or in a user's home directory.
To install and activate the agent software on a Linux server:
Copy the installer archive you downloaded to the /opt directory or the directory where you want to install the DigiCert agent.
Unpack the installer archive (for example,
tar -xzvf <agent-file>.tar.gz).Change into the agent installation directory, and run start-tlm-agent.sh as root (for example,
sudo ./start-tlm-agent.sh).When prompted, enter the Activation code you generated.
When prompted, select how the agent will connect to Trust Lifecycle Manager:
Direct, no proxy: If the agent will connect directly.
My own proxy server: If connecting through a third-party proxy server. You are prompted to enter the proxy server details.
DigiCert sensor as proxy: If using a DigiCert sensor as a proxy server. You are prompted to enter the sensor details.
(Optional) Assign a custom name to the agent to help identify it in Trust Lifecycle Manager.
Return to the Trust Lifecycle Manager web console to verify that the installed agent is ready for use:
From the Trust Lifecycle Manager menu, select Discovery & automation tools > Agents.
You should see the agent you installed listed in the table.
The Status column lists the current status of the agent. An agent that's installed and ready to use should show Active.
Note
If your agent does not appear in the table or does not show the Active status, refer to Troubleshoot agents for troubleshooting help.
What's next
With an active DigiCert agent installed on a server in your network, you can use Trust Lifecycle Manager to:
Set up system scans to scan both OS certificate stores and the local file system for certificate files. Certificates found during these scans added to the certificate inventory for continuous monitoring and tracking.
Enable certificate lifecycle automation on the host systems.
Enroll certificates from different issuing CAs with automated delivery to external systems.
Customize certificate processing on your servers using agent scripts.