sectigoinc/networkagent repository overview

⁠Quick reference

Complete installation instructions.⁠

⁠How to use this image

⁠Base Directory

The Network Agent container stores its configuration and logs in the base directory. Since this data is non-reproducible, the container should use a directory mounted from the Docker host to ensure data persistence across container runs. This directory contains sensitive information, so non-root users should not have access to it.

Create a directory on your Docker host machine:

sudo mkdir <basedir>

⁠Register Agent

To register the agent, follow the procedure in Sectigo Certificate Manager to add the agent and obtain the registration token.

Run a disposable container with this token:

docker run --rm -v <basedir>:/base sectigoinc/networkagent:latest register --token <token>

After successful execution of the command, the required configuration will be written into the base directory.

⁠Start Agent

docker run -d --name sectigo-network-agent -v <basedir>:/base sectigoinc/networkagent:latest

⁠Agent Configuration

Most of the agent configuration commands require direct communication with the agent service, so sectigona-config commands must be executed inside the running container.

For example, to list credential stores, run:

docker exec -it sectigo-network-agent sectigona-config credstore list

⁠SSL Trusted CAs

To validate SSL trust, the agent uses the certificates file inside the image. Therefore, any updates to the host's trust will not be recognized by the container, and any changes made inside the container will not be preserved between runs. To use the trusted issuers configuration from the host machine, mount the host's certificates file and override the container environment variable SSL_CERT_FILE.

For example, on Debian, add the following arguments to your docker run command:

 -v /etc/ssl/certs/ca-certificates.crt:/certs/ca-certificates.crt -e SSL_CERT_FILE=/certs/ca-certificates.crt