About certificate installation methods: agentless versus agent

Trust Protection Platform can install certificates on devices in your network with or without using the Server Agent. If for some reason Trust Protection Platform can't connect to the device on which you plan to install the certificate (firewall restriction or no existing route to the subnet, for example), you have an alternate connection method.

Learn about Supported shells used to establish a connection between Trust Protection Platform and a client.

Agentless versus agent certificate installation methods

Method

Description

Use if...

Agentless

Installs certificates to devices in your network using credential authentication between Trust Protection Platform and other network devices.

Advantages: Typically the easiest method to use—when you have large numbers of devices that are configured similarly—because you do not need to install or maintain any additional software on the devices where you plan to install certificates (unless remote generation is required, in which case the applicable crypto utilities must be installed). Also, Trust Protection Platform automatically creates the necessary device and credential objects during Discovery.

Requirements : You must set up and manage device credentials for every device where you want to install certificates.
  • You have many devices that have similar configurations (use the same management credentials, use standard keystore locations, etc.)
  • Keystores are installed to the same location (path) on all of your devices
  • You do not want to perform routine scanning of trust assets on your devices

Server Agent

 

 

 

 

Install certificates to devices in your network using Server Agents that are installed on those devices (Server Agent-enabled devices).

See Server Agent-supported keystores.

Advantages : A powerful method that can reduce the amount of work required to configure and manage trust between Trust Protection Platform and the agent-enabled devices where you plan to deploy certificates. Especially true if you do not use similar configurations across devices where you want to install certificates. As certificates are discovered, Trust Protection Platform creates the necessary objects so that it can manage the discovered certificates almost immediately.

The agent method also helps with load distribution because installed Server Agents use the system resources on the devices where they are installed; in the case of Agentless, all of the work performed is on the Trust Protection Platform server. With agent, rather than one device performing hundreds of tasks, you have hundreds of devices performing a few tasks each.

Requirements : Configure and deploy the Server Agent to each device on which you plan to install (and manage) certificates.
  • You have many devices that have dissimilar configurations (use many different management credentials, keystore locations vary from server to server, etc.).
  • Keystores need to be installed to different locations on a per server basis (the Discovery process identifies where the keystores are and then automatically creates the required objects).
  • You want to perform routine scanning of trust assets on all of your devices

EXAMPLE  Which method you choose depends on which platform (OS) will be hosting the certificate and which keystore formats are required. Consider the following scenarios:

  • Agentless or Agent methods: If you have a Unix or Linux system and you need JKS, PEM, CAPI, or PKCS#12, you could use either agent or agentless, depending on which method best fits your organization.
  • Agentless method only: If you have a network appliance like F5 Big-IP LTM, Citrix NetScaler, vThunder, IBM DataPower, etc., then the Agentless method is your only option because these are closed systems where the agent is not supported.
  • Agent method only: If you have a Windows system and you need CMS (GSK), JKS, PEM , CAPI, or PKCS#12, then the agent is the more realistic choice. This is because Venafi requires a third-party SSH server to be installed on Windows in order to support them using the Agentless method.
  • Agentless or Agent methods (Conditional): Network restrictions (and associated architecture) can determine which method you use. For example, if Trust Protection Platform can connect to the device on which you plan to install a certificate but the device cannot contact Trust Protection Platform, then your only option is to use Agentless; this is because during agentless certificate installation, Trust Protection Platform initiates the network connection. However, If Trust Protection Platformcannot connect to the device on which you plan to install the certificate but the device can contact Trust Protection Platform, then your only option is to use agent; this is because during an agent certificate installation, the device is the one that initiates the network connection.

Related Topics Link IconRelated Topics