### Add Sectigo Repository and Install Agent on Linux (Debian/Ubuntu) Source: https://docs.sectigo.com/scm/scm-administrator/installing-network-agents Instructions for installing the Sectigo Network Agent on Debian-based Linux systems. This involves adding the Sectigo GPG key, adding the repository to apt sources, updating the package index, and installing the agent package. Configuration and starting the agent service are also covered. ```bash curl -fsSL https://dist.sectigo.com/scm/linux/apt-sign.gpg | sudo gpg --dearmor -o /usr/share/keyrings/sectigo-archive-keyring.gpg gpg --show-keys /usr/share/keyrings/sectigo-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/sectigo-archive-keyring.gpg] https://dist.sectigo.com/apt-$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sectigo.list > /dev/null sudo apt-get update sudo apt-get install sectigo-network-agent sudo /opt/sectigo-network-agent/sectigona-config interactive ``` -------------------------------- ### Install Sectigo Network Agent on Windows Source: https://docs.sectigo.com/scm/scm-administrator/installing-network-agents Steps to install the Sectigo Network Agent on a Windows system using the provided binary installer. This involves granting execute permissions, running the installer, accepting the EULA, and providing the agent installation token. Optional proxy details can also be configured. ```bash chmod +x sectigo-network-agent.bin sudo ./sectigo-network-agent.bin ``` -------------------------------- ### Install DNS Connector via Windows CLI Source: https://docs.sectigo.com/scm/scm-administrator/installing-dns-connectors This command installs the Sectigo DNS connector silently using MSIEXEC. It requires a valid installation token and optional proxy configuration. Unused options should be removed from the command. ```batch msiexec.exe /i /q SectigoDCS.msi TOKEN= PROXY_TYPE= PROXY_ADDR= PROXY_PORT= PROXY_USER= PROXY_PASSWORD= ``` -------------------------------- ### Install PK Agent via Windows CLI Source: https://docs.sectigo.com/scm/scm-administrator/installing-private-key-agents This command installs the Sectigo Private Key Agent silently using the command-line interface on Windows. It allows for pre-configuration of the installation token, proxy settings, and key storage provider. Ensure you have the correct installation token and proxy details before execution. ```powershell .\Sectigo_Pk_Agent.exe /i /q PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD= ``` -------------------------------- ### Start Sectigo Private Key Agent Service (systemd) Source: https://docs.sectigo.com/scm/scm-administrator/installing-private-key-agents Starts the Sectigo Private Key Agent service using systemd. This command is the standard method for managing services on modern Linux distributions. ```bash sudo systemctl start sectigo-pk-agent ``` -------------------------------- ### Prepare Installation Files (Shell) Source: https://docs.sectigo.com/scm/sectigo-connector-for-gcp/configuring-the-connector Shell commands to extract the connector archive, navigate to the installation directory, and grant execute permissions to the installation script. ```bash chmod +x install.sh ``` -------------------------------- ### BIG-IP Host Configuration Example (YAML) Source: https://docs.sectigo.com/scm/sectigo-connector-for-f5-big-ip/installation-and-configuration Demonstrates how to specify the IP address or domain name for a BIG-IP device within a certificate profile. It shows both a single host configuration and a high availability (HA) setup with multiple hosts. ```yaml host: 3.123.235.154 ``` ```yaml ha_hosts: - 3.123.235.154 - 3.123.235.155 ``` -------------------------------- ### Start Sectigo Private Key Agent Service (SysVinit) Source: https://docs.sectigo.com/scm/scm-administrator/installing-private-key-agents Starts the Sectigo Private Key Agent service using the SysVinit system. This command is used on older Linux systems that rely on SysVinit for service management. ```bash sudo service sectigo-pk-agent start ``` -------------------------------- ### Install Network Agent on Windows (CLI) Source: https://docs.sectigo.com/scm/scm-administrator/installing-network-agents This command installs the Sectigo Network Agent silently on Windows using the command line. It requires an installation token and allows configuration of auto-update and proxy settings. Ensure the bootstrap application is in the current directory. ```powershell .\Sectigo_Network_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD= ``` -------------------------------- ### Install Sectigo Network Agent on Linux Source: https://docs.sectigo.com/scm/scm-administrator/installing-network-agents Installs the Sectigo Network Agent on Linux systems using DNF. This involves adding the Sectigo repository, installing the agent package, and configuring it interactively. Ensure the GPG key fingerprint matches the provided value for security. ```bash sudo dnf config-manager --add-repo https://dist.sectigo.com/scm/linux/sectigo-network-agent.repo sudo dnf install sectigo-network-agent sudo /opt/sectigo-network-agent/sectigona-config interactive ``` -------------------------------- ### Start Sectigo Network Agent Service on Linux Source: https://docs.sectigo.com/scm/scm-administrator/installing-network-agents Commands to start the Sectigo Network Agent service on Linux systems, supporting both SysVinit and systemd initialization systems. ```bash # SysVinit Linux sudo service sectigo-network-agent start # systemd Linux sudo systemctl start sectigo-network-agent ``` -------------------------------- ### Install Sectigo Private Key Agent on Fedora/RHEL Source: https://docs.sectigo.com/scm/scm-administrator/installing-private-key-agents Installs the sectigo-pk-agent package using the DNF package manager. This command also prompts the user to accept the GPG key for the repository, ensuring package authenticity. ```bash sudo dnf install sectigo-pk-agent ``` -------------------------------- ### External Credentials File Example (YAML) Source: https://docs.sectigo.com/scm/sectigo-connector-for-citrix/configuring-the-connector An example of how to structure an external YAML file to store Citrix device credentials, separating sensitive information from the main configuration. ```yaml citrix_devices: - host: 12.345.67.89 username: admin password: john_1234 - host: 21.345.67.89 username: admin password: john_jr_1234 ``` -------------------------------- ### Install Python Dependencies with Virtual Environment (Bash) Source: https://docs.sectigo.com/scm/sectigo-connector-for-citrix/configuring-the-connector This snippet demonstrates installing Python dependencies for the Sectigo agent using a virtual environment on Ubuntu. It includes creating and activating the virtual environment, upgrading pip, and installing packages from `requirements.txt`. ```bash sudo apt install python3.8-venv python3 -m venv .venv source .venv/bin/activate python3 -m pip install --upgrade pip python3 -m pip install -r requirements.txt ``` -------------------------------- ### Install Sectigo ACME Connector using Tarball Source: https://docs.sectigo.com/scm/sectigo-connector-for-f5-big-ip/installation-and-configuration Installs the Sectigo ACME connector by extracting a tarball archive and running an installation script. This process typically involves logging in as root, navigating to the /opt directory, extracting the archive, and executing the install.sh script. The EULA can be automatically accepted using a command-line flag. ```bash tar xvf sectigo-acme-f5-bigip-.tgz ./install.sh --agree-tos ``` -------------------------------- ### Configure Certificate Management Profile Parameters (JSON Example) Source: https://docs.sectigo.com/scm/sectigo-connector-for-avi-vantage/configuring-the-connector Provides an example of how to structure the custom parameters for a certificate management profile in Sectigo SCM. This includes issuer, credentials, URLs, and optional custom fields. ```json { "Issuer": "Sectigo", "sectigo_cm_user": "your_username", "sectigo_cm_password": "your_password", "sectigo_cm_base_url": "https://scm.sectigo.com", "sectigo_cm_uri": "/api/v1", "sectigo_org_id": "12345", "sectigo_ssl_cert_type": "1", "sectigo_ssl_cert_validity": "365", "sectigo_custom_fields": "[{\"name\":\"custom_field_1\",\"value\":\"value_1\"}]" } ``` -------------------------------- ### Install Python Dependencies (Virtual Environment - Ubuntu) Source: https://docs.sectigo.com/scm/sectigo-connector-for-cisco-ftd/configuring-the-connector Steps to create and activate a Python virtual environment, then install required packages from 'requirements.txt' on Ubuntu. This isolates project dependencies. ```bash sudo apt install python3.8-venv python3 -m venv .venv source .venv/bin/activate pip3 install -r requirements.txt ``` -------------------------------- ### Update Package Index and Install Agent on Debian/Ubuntu Source: https://docs.sectigo.com/scm/scm-administrator/installing-private-key-agents Updates the local package index to include new repository information and then installs the sectigo-pk-agent package. This prepares your system for the agent's functionality. ```bash sudo apt-get update sudo apt-get install sectigo-pk-agent ``` -------------------------------- ### Get sectigo-dcs Help Information Source: https://docs.sectigo.com/scm/scm-administrator/managing-dns-connectors This command displays all available CLI commands and their usage for the sectigo-dcs tool. It is useful for discovering further functionalities. ```bash sectigo-dcs provider help ``` -------------------------------- ### Get Palo Alto Agent Help Source: https://docs.sectigo.com/scm/sectigo-connector-for-palo-alto-firewall/using-the-connector Displays all available options and commands for the `paloaltoagent.py` script. This is useful for understanding the full capabilities of the connector. ```python python3 paloaltoagent.py --help ``` -------------------------------- ### Start Active Directory Certificate Service (Windows CLI) Source: https://docs.sectigo.com/scm/scm-administrator/installing-ms-agents This command starts the Active Directory Certificate service after the MS agent has been installed via the command line. It is a necessary step to ensure the agent functions correctly. ```powershell sc start certsvc ``` -------------------------------- ### Configure PK Agent using CLI Utility Source: https://docs.sectigo.com/scm/scm-administrator/installing-private-key-agents This command initiates the interactive configuration utility for the Sectigo Private Key Agent on Windows. It allows users to set up the installation token, proxy settings, and key storage provider through a command-line interface. Skipping certain prompts will retain default or previously configured settings. ```bash pkagent.exe config interactive ``` -------------------------------- ### Start MS Agent Service (Proxy) Source: https://docs.sectigo.com/scm/scm-administrator/managing-ms-agents Starts the MS agent service when installed with 'Proxy MS Enrollment Protocols to SCM' enabled. This command interacts with the Windows Service Control Manager. ```powershell sc start CertSvcCopied! ``` -------------------------------- ### Start MS Agent Service (Discovery) Source: https://docs.sectigo.com/scm/scm-administrator/managing-ms-agents Starts the MS agent service when installed for discovery only (without 'Proxy MS Enrollment Protocols to SCM'). This command interacts with the Windows Service Control Manager. ```powershell sc start ComodoMSAgentCopied! ``` -------------------------------- ### Chef Node JSON for Copying Certificate Source: https://docs.sectigo.com/scm/sectigo-chef-integration/using-the-integration An example JSON configuration for a Chef node that specifies the `copy_certificate` recipe and its associated parameters. This includes settings for the certificate type and file paths for storing the certificate on the node. ```json { "run_list": [ "recipe[sectigo_chef_cookbook::copy_certificate]" ], "normal": { "sectigo_cert_type":"ssl", "sectigo_ssl_cert_file_path":"/etc/ssl/", "sectigo_ssl_cert_file_name":"sectigo_ssl", . } . . } ``` -------------------------------- ### Sample Certificate Profile File Configuration Source: https://docs.sectigo.com/scm/sectigo-connector-for-akamai-cli/configuring-the-connector This snippet shows a sample configuration file for a certificate profile. It includes essential details like domain name, certificate type, security network preferences, technical and administrative contact information, organization details, and subject alternative names (SANs). ```yaml domain_name: "example.com" cert_type: ecc secureNetwork: standard-tls geography: core techContact_email: doe@example.com techContact_firstName: John techContact_lastName: Doe techContact_phone: "+994515373029" adminContact_email: nihad.bakirli@sectigo.com adminContact_firstName: John adminContact_lastName: Doe adminContact_phone: "+12505550199" org_addressLineOne: 401 COUNTY ROAD 2 org_city: Ottawa org_country: CA org_name: JohnDoe org_phone: "+12505550199" org_postalCode: K1A 0C4 org_region: ON csr_c: CA csr_o: DoePrivateCA csr_st: Ontario csr_sans: - blog.example.com - mail.example.com ``` -------------------------------- ### View Credentials (Linux) Source: https://docs.sectigo.com/scm/scm-administrator/managing-network-agents Commands to list and get credentials from a local credential store using Linux. Requires `sudo` and navigating to the network agent install location. The `--storename` parameter specifies the credential store, and `--id` is used to retrieve a specific credential. ```bash sudo sectigona-config credstore credentials list --storename ``` ```bash sudo sectigona-config credstore credentials get --storename --id ``` -------------------------------- ### View Credentials (Windows CLI) Source: https://docs.sectigo.com/scm/scm-administrator/managing-network-agents Commands to list and get credentials from a local credential store using the Windows CLI. Requires navigating to the network agent install location. The `--storename` parameter specifies the credential store, and `--id` is used to retrieve a specific credential. ```bash sectigona-config.exe credstore credentials list --storename ``` ```bash sectigona-config.exe credstore credentials get --storename --id ``` -------------------------------- ### Configure Sectigo Private Key Agent Source: https://docs.sectigo.com/scm/scm-administrator/installing-private-key-agents Initiates the interactive configuration process for the Sectigo Private Key Agent. This command guides the user through setting up essential parameters for the agent's operation. ```bash sudo /opt/sectigo-pk-agent/bin/pkagent config interactive ``` -------------------------------- ### Sample Certificate Profile Configuration (YAML) Source: https://docs.sectigo.com/scm/sectigo-connector-for-a10/configuring-the-connector A sample `cert_profile_1.yaml` file demonstrating the configuration for a single certificate profile. This file includes parameters for certificate details, subject alternative names, custom fields, CSR information, renewal settings, and virtual server associations. ```yaml profile_name: a10_profile_1 scm_credentials_label: SCMDV ssl_cert_type: DV ssl_cert_comments: Certificate for vThunder ssl_cert_subject_alt_names: example.com,www.example.com ssl_cert_custom_fields: "{\"Servers Public IP (or IP Subnet)\":\"192.168.220.130\"}" csr_domain: example.com csr_country: CA csr_state: ON csr_location: Ottawa csr_organization: JohnDoe csr_email_address: doe@example.com csr_key_type: RSA csr_key_size: 4096 force_renewal: False expiry_window: 30 auto_renew: True virtualservers: - name: john_1234 port: 8080 - name: doe_1234 port: 8080 ``` -------------------------------- ### Install Python Dependencies (Global - Ubuntu) Source: https://docs.sectigo.com/scm/sectigo-connector-for-cisco-ftd/configuring-the-connector Commands to update package lists, install pip for Python 3, and then install project dependencies from 'requirements.txt' globally on Ubuntu. This method installs packages system-wide. ```bash sudo apt update sudo apt install python3-pip pip3 install -r requirements.txt ``` -------------------------------- ### Configure Main Config File Source: https://docs.sectigo.com/scm/sectigo-connector-for-a10/configuring-the-connector This YAML file sets up the main configuration for the Sectigo Python certificate client. It specifies paths for certificate profiles and logs, download sleep intervals, requester emails, and logging parameters like level and size. ```yaml cert_profile_path: "config" sectigo_sleep_download: 1 sectigo_external_requester: john@example.com log_file: "sectigo_pycert.log" log_path: "log_path" log_level: debug log_size_mb: 1 logger_count: 10 ``` -------------------------------- ### Sample Certificate Profile Configuration (YAML) Source: https://docs.sectigo.com/scm/sectigo-connector-for-citrix/configuring-the-connector This is a sample YAML file demonstrating the structure and parameters for a certificate profile. It includes common settings like device information, key parameters, and server configurations. Use this as a template for your own certificate profiles. ```yaml version: v1 devices: - common_name: "example.com" san_domains: - "example.com" - "www.example.com" key_type: rsa key_size: 4096 protocol: http host: 12.345.67.89 port: 80 username: admin password: "s3cr3t" lb_servers: - name: lb_server_1 - name: lb_server_2 gateway_servers: - name: gateway_server_1 - name: gateway_server_2 content_switching_servers: - name: content_switching_server_1 - name: content_switching_server_2 authentication_servers: - name: authentication_server_1 - name: authentication_server_2 ``` -------------------------------- ### Sample Certificate Profile Configuration (YAML) Source: https://docs.sectigo.com/scm/sectigo-connector-for-haproxy/configuring-the-connector This YAML snippet demonstrates the structure and parameters for defining a certificate profile in the `certificates.yml` file. It includes common parameters for certificate issuance and renewal settings. ```yaml sectigo: commonParams: country: US province: Texas locality: Texas organization: Sectigo certificates: - frontendName: www-https commonName: john-doe.com comments: frontend www-https subjAltNames: ["john-doe.com","www.john-doe.com"] externalRequester: "doe@example.com" renewBeforeDays: 30 keyType: RSA keySize: 2048 forceRenew: no - frontendName: jane-https commonName: jane-doe.com ... ``` -------------------------------- ### Install MS Agent Silently (Windows CLI) Source: https://docs.sectigo.com/scm/scm-administrator/installing-ms-agents This command installs the MS agent in silent mode using the bootstrap application. It allows configuration of auto-update, installation token, proxy settings, and proxy PAC URL. Ensure the correct path to the bootstrap application is used. ```powershell .\Sectigo_MS_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_CA_PROXY= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD= ``` -------------------------------- ### F5 BIG-IP Remote Auto-Installation Configuration Source: https://docs.sectigo.com/scm/scm-administrator/managing-servers This section outlines the steps to add an F5 BIG-IP server to a network agent for remote auto-installation. It specifies that only remote installation is supported and requires the F5 REST API. Authentication can be done via username/password or by referencing credentials stored in various credential stores like CyberArk, HashiCorp Vault, Delinea Secret Server, or a local store. ```text 1. Navigate to __**Network Agents**. 2. Select your agent and click **Edit** to open the **Edit Network Agent** window. 3. Select the **Servers** tab and click the **Add** icon. 4. Provide a server name and select **F5 BIG-IP**. 5. Enter the **Host name/IP address** of the remote server. 6. If the remote F5 server isn’t using the standard port, change the **Port** from 443. 7. Provide your authentication details: - Username/Password: Provide username and password. - Credential in Agent Store: Provide store name and credential ID. * CyberArk Vault ID format: "=;=;..." * HashiCorp Vault ID: Path relative to --rootpath. * Delinea Secret Server ID: Unique Secret ID. * Local credential store ID: Unique identifying string. 8. Click **Save**. ``` -------------------------------- ### HAProxy Configuration (haproxy.cfg) Source: https://docs.sectigo.com/scm/sectigo-connector-for-haproxy/configuring-the-connector A sample HAProxy configuration file demonstrating global settings, default modes, frontend and backend definitions, and HTTP to HTTPS redirection. This configuration is typically found in `/etc/haproxy/haproxy.cfg`. ```haproxy global master-worker defaults unnamed_defaults_1 mode http timeout http-request 10s timeout connect 5s timeout client 10s timeout server 10s frontend myfrontend from unnamed_defaults_1 bind :80 # the following line redirects HTTP to HTTPS http-request redirect scheme https unless { ssl_fc } default_backend web_servers backend web_servers from unnamed_defaults_1 server myserver 127.0.0.1:8000 program api command dataplaneapi -f /etc/haproxy/dataplaneapi.hcl no option start-on-reload ``` -------------------------------- ### Install GPG on Debian/Ubuntu Source: https://docs.sectigo.com/scm/sectigo-connector-for-citrix/configuring-the-connector Commands to install GPG (GNU Privacy Guard) and configure random number generation for key creation on Debian-based systems. ```bash sudo apt install gnupg sudo apt install rng-tools sudo sed -i -e 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/urandom|' /etc/default/rng-tools sudo service rng-tools start GPG_TTY=$(tty) export GPG_TTY ```