Deploy a DigiCert sensor — Windows
Quick start guide PDF
Introduction
This guide covers the basic steps needed to install and activate the DigiCert® sensor software on a Windows system.
The sensor is DigiCert’s native gateway application that enables network-based integrations, discovery, proxy, and automation services for DigiCert® Trust Lifecycle Manager.
You need at least one DigiCert sensor installed on your network to enable the following features for Trust Lifecycle Manager:
Certificate lifecycle management: Automate lifecycle management for certificates installed on network appliances and cloud services.
Discovery network scans: Scan your network to find digital trust assets and calculate security ratings for them.
Network-based integrations: Connect to certificate authorities (CAs), vault services, external scanning solutions, and more.
Proxy server: Enable proxy access for DigiCert® agents and other clients to request certificates from Trust Lifecycle Manager, including built-in failover support (requires multiple sensors).
You install the sensor on-premises for security reasons. The sensor uses a pull communication model to synchronize with Trust Lifecycle Manager over outbound port 443 (HTTPS).
DigiCert recommends installing the sensor on a dedicated host on your network that can access the network devices and services you need to manage through Trust Lifecycle Manager.
중요
To achieve complete coverage on complex networks, you may need multiple sensors installed on different network segments and geographical locations. Do not install a DigiCert agent and sensor on the same host.
For more information about DigiCert sensors, see: Deploy and manage sensors.
Before you begin
Before installing the Windows version of the sensor, verify the following requirements.
System requirements
Your environment must have at least a minimal installation of a supported operating system.
Platform | Supported OS versions | Minimum specifications |
|---|---|---|
Windows |
|
|
Network requirements
To connect to Trust Lifecycle Manager, the sensor requires outbound access to HTTPS (TCP port 443) on the two DigiCert® ONE platform URLs in one of the following regions.
In addition to platform access, the sensor requires outbound access to HTTPS (TCP port 443) on the following DigiCert service URL.
Loopback ports
The sensor binds to the following loopback ports on the local host. To adjust the loopback port numbers for an installed sensor, edit the applicable configuration files in the sensor config sub-directory and restart the sensor service.
Loopback port | Description | Sensor config file |
|---|---|---|
10323 | General loopback communications port. If port 10323 is already in use by other software, the sensor automatically binds to an available port between 10323–10373. To control which port the sensor binds to, update the provided configuration file. | cli.properties |
58080 | Local communications port for the plugin manager process used to manage network-based integrations for Trust Lifecycle Manager. | plugin.properties |
61616 | Local communications port for Simple (or Streaming) Text Oriented Messaging Protocol (STOMP). Used for message queuing between the main sensor process and the plugin manager process. | messaging.properties |
참고
Loopback ports do not require any access rules on the local firewall.
Additional requirements
The sensor host must be able to resolve its own fully qualified domain names (FQDNs), either via DNS or a local "hosts" file.
The sensor must be able to access any systems it will integrate with via connectors or target for certificate lifecycle automation or in network scans.
To use the sensor as a proxy server for DigiCert® agents and other hosts on your network, the sensor host must allow inbound access on the proxy listening port (default port 48999). To learn more, see Use a sensor as a proxy server.
Deployment workflow
To deploy the DigiCert sensor software on a Windows system, complete these tasks in order.
To download the Windows sensor software and activation file in Trust Lifecycle Manager:
From the Trust Lifecycle Manager menu, select Discovery & automation tools > Client tools.
Select Sensor - Windows installer.
Use the download button on the right to download the latest version of the DigiCert sensor installer for Windows. It should have a name like tlm_sensor_N.N.N_win64.zip, where "N.N.N" is the sensor version number.
To get the software activation file, select the Download activation file button under Requirements. In the popup dialog that opens:
(Optional) Select a Business unit to assign the sensor to. If you make a selection here, only users assigned as administrators for that business unit can manage the sensor.
Select the Download button to download the sensor activation file. It is named license.properties.
참고
Each activation file can be used to activate a single sensor. To install additional sensors, download additional activation files.
To install and activate the sensor software on a Windows system:
Unzip the installer you downloaded and run the
.exefile as an administrator.Select the button to Install. Follow the prompts to install the sensor.
On the final installer screen, make sure the Activate DigiCert Sensor checkbox is selected and select the Finish button.
On the Finish setup and activate screen, select Trust Lifecycle Manager and select the Next button.
Select an option for how the DigiCert sensor will connect to Trust Lifecycle Manager:
Direct, no Proxy: If the sensor will connect directly.
My own proxy server: If connecting through a proxy server. You are prompted to enter the proxy server details.
On the Activate the sensor screen, browse to the activation file you downloaded (license.properties) and select the Activate button.
On the setup completed screen, choose whether to start the sensor service and/or view the README file, then select the Finish button.
If you start the sensor service now, it opens a command window to launch it. After launching the service, press any key to continue.
Return to the Trust Lifecycle Manager web console to verify that the installed sensor is ready for use:
From the Trust Lifecycle Manager menu, select Discovery & automation tools > Sensors.
You should see the sensor you installed listed in the table here.
By default, the Sensor name is set to the license key used to activate the sensor. Select the edit (pencil) icon next to the name to change it.
The Status column lists the current sensor status. A sensor that's installed and ready to use should show Active.
참고
If your sensor does not appear in the table or does not show the Active status, refer to Troubleshoot sensors for troubleshooting help.
If you will use the sensor to set up a CA connector, DigiCert recommends enabling server-sent events for the sensor. This feature allows the sensor to receive instructions from Trust Lifecycle Manager in near real time, enhancing its ability to manage workflows and handle time-sensitive certificate requests for integrated CAs.
To enable server-sent events for the sensor from the Trust Lifecycle Manager web console:
From the Trust Lifecycle Manager menu, select Discovery & automation tools > Sensors.
Select the sensor by name to view the details page for it.
On the sensor details page, select the edit (pencil) icon on the top-right to edit the sensor configuration.
Under Advanced settings, select the checkbox to Enable Server Sent Event Heartbeat.
Select the Update button at bottom to save the changes to the sensor configuration.
DigiCert® sensors include a built-in proxy server for DigiCert® agents and other clients to connect to and request certificates from DigiCert® Trust Lifecycle Manager.
참고
On networks with multiple DigiCert sensors installed and used as proxies, DigiCert agents are designed to automatically fail over and use a different sensor if there’s an issue connecting to the primary sensor.
The proxy server feature is enabled by default on sensors. It provides a transparent HTTP proxy with support for well-known certificate enrollment protocols including ACME, EST, and SCEP.
By default, the sensor proxy server:
Listens on TCP port 48999.
Allows outbound proxy access to the digicert.com domain.
To allow hosts on your network to use the sensor proxy server to connect to Trust Lifecycle Manager, open the sensor proxy listening port (default 48999) on the local firewall.
For more details about how to customize the sensor proxy server, including the proxy listening IP address(es) and port, see: Use a sensor as a proxy server.
Additional settings for on-premises DigiCert ONE users
중요
This section only applies if your organization has its own on-premises instance of the DigiCert ONE platform and uses it to issue private trust certificates.
What's next
With an active DigiCert sensor on your network, you can leverage the full range of Trust Lifecycle Manager's network-based integrations, discovery, and automation tools:
Connect up your network appliances and cloud services to discover and manage the certificates installed on them.
Connect to certificate authorities to import and issue certificates from a variety of sources.
Connect external scanning solutions to import data that you can monitor and manage in Trust Lifecycle Manager.
Connect to Azure Key Vault to import and deliver certificates to vaults in the Azure cloud.
Set up network scans to find additional certificates and digital trust assets throughout your network that you can manage in Trust Lifecycle Manager.