Knowledge Base

Sectigo Network Agent: Frequently Asked Questions (FAQ)

Updated on December 31, 2024

Understanding Network Agent -2024-12-17-013933.png

Sectigo Network Agent: Frequently Asked Questions (FAQ)

1. Is the communication strictly outbound initiated (Agent => SCM) or also inbound from the SCM (SCM => Agent)?

Answer:

Communication is strictly outbound initiated by the Agent (Agent => SCM).
The Agent opens a TCP socket to connect to the SCM.
While the SCM responds to the Agent, it does not initiate any communication.
All communication is two-way, as every API call made by the Agent receives a response.

2. Is the validation and scheduling process for initiating a certificate renewal done on/by the Agent or on/by the SCM?

Answer:

The renewal process is initiated by the Agent based on its stored configuration.
Validation of the certificate renewal request is performed by the SCM.
The Agent does not store any data regarding certificate validation.

3. Can you provide a workflow description of how the validation and initiation of the renewal process is done?

Answer:

The Agent determines the need for certificate renewal based on its configuration.
The Agent initiates a REST API call to the SCM to request renewal.
The SCM validates the request using the configured certificate template or profile.
If validation is successful, the SCM processes the renewal and sends the updated certificate to the Agent.
The Agent applies the new certificate, replacing the old one.

4. How is communication between the Agent and SCM secured/protected?

Answer:

The Agent communicates with the SCM using the TCP protocol.
Between the Agent and IIS systems, communication occurs via RPC (Remote Procedure Call).
Between the Agent and Apache nodes, communication uses SSH.
The REST API calls between the Agent and SCM are secured over TLS for encryption and protection.

5. Are measures implemented on the Agent side to detect a malicious SCM server and prevent risks like misconfigurations?

Answer:

Detection of a malicious SCM server, including risks from unintended bugs or hacked servers, is a customer-specific activity.

The responsibility for implementing security measures lies with the customer’s security strategy and risk management processes.

6. Is there any kind of SSL certificate validation (ASN.1 correctness, not certificate chain verification) before the new certificate overwrites the old one?

Answer:

Yes, SSL certificate validation is performed based on the certificate template or profile selected on the SCM side.
This ensures the ASN.1 correctness of the new certificate before it replaces the existing one.

7. How are remote install credentials protected?

Answer:

Credentials are stored in the SCM database in encrypted form.
When a discovery command is sent, credentials are shared with the Agent.
The Agent saves credentials in its local H2 database, which is encrypted with AES-128.

8. How does the self-extracting install for Linux work?

Answer:

The installation package (sectigo-network-agent.bin) is a self-extracting shell script created with MakeSelf.
The script extracts its contents to a directory (default /tmp) and executes an install script.
During an auto-upgrade, the process downloads the package to /opt/sectigo-network-agent/updates and runs it using parameters in the agent.properties file.

9. How is the log level increased for the Network Agent?

Answer:

Logs default to INFO level and can be increased to DEBUG using the sectigona-config CLI tool.
After changing the log level, the Agent must be restarted.
The log level should be reset to INFO after troubleshooting to avoid performance degradation.