Menu

Agent/Agentless Deployment

Jun 8, 2026

OVERVIEW: TLS Connect provides both software agents and agentless capabilities to deploy certificates to Windows or Linux servers. The software agent is sufficient for most network environments, but in others, you may need to deploy certificates through the “agentless” feature.

Configure Automation Agent 

The TLS Connect agent is a lightweight piece of software that the target server can use to communicate with TLS Connect for certificate retrieval and deployment, allowing TLS Connect to centrally manage certificates on all connected networks.  

You should have received the agent during onboarding. If you are missing the file, please reach out to your Account Manager to receive it. 

  1. Place the agent.exe file on the target server. The target server should be on the same network as the server that has the TLS Connect instance.

  2. Open a text editor on the same server as the agent.exe file and paste the following text into the file:

    { 
  "Hub": { 
    "BaseUrl": "http://127.0.0.1:5086" 
  }, 
  "Auth": { 
    "Mode": "Hmac" 
  }, 
  "Polling": { 
    "IntervalSeconds": 3 
  } 
}

  3. Change the BaseURL to the server’s IP address and port. 

  4. You may optionally modify the frequency that the agent will communicate with TLS Connect by changing the “IntervalSeconds” value.

  5. When finished, save the .json file.

  6. Run the agent.exe file to verify the configuration of the agent. If the message returned says “No task. Polling will stay quiet until a task arrives.” then the agent is active and ready for use. 

  7. Open the TLS Connect application and navigate to the Automation > Agent Hub Logs to view your connected servers. You can check the status of this server by clicking Refresh Logs.

Deactivate Automation Agent

You can deactivate an automation agent in two ways:

  1. You can “stop” the agent’s Windows service, or delete it entirely. The status of the agent will be reflected in the TLS Connect UI.

  2. You can permanently deactivate the agent from the TLS Connect UI.

    1. Open the TLS Connect application and navigate to the Automation > Server Profiles tab. 

    2. Choose the server profile and then click + Add Target and then click Add Agent Server (Windows/Linux).

    3. Select the server and then click Delete Selected. This will permanently remove the agent from the server. This action cannot be undone. To re-add a deleted agent, you will need to add it again to the server with new credentials.

Configure Agentless Certificate Deployment Feature 

TLS Connect provides Agentless certificate deployment, which allows servers to download and auto-renew TLS certificates without configuring and installing a TLS Connect agent. This feature is ideal for: 

  • Legacy Linux servers with old glibc (incompatible with the .NET agent) 

  • Windows servers where installing software is not permitted 

  • Network appliances, load balancers, or embedded systems that can run curl/PowerShell 

  • Environments where security policy forbids persistent background agents 

  • Quick one-time certificate deployments to a new server 

Prerequisites 

  • TLS Connect internal hub service is running and reachable on port 5086  

  • A certificate must be assigned to a server profile. Refer to “Create an Automation Task” above for more information.  

  • curl (Linux) or PowerShell (Windows) is available on the target server 

Setup the Agentless Feature 

These steps are completed once per profile. 

  1. Navigate to Automation > Server Profile. 

  2. Select or create the profile that will distribute certificates to the target server.  

    1. If you need to create a new profile, refer to “Create an Automation Profile” above for more information. 

    2. If you already have a profile you want to add the Agentless feature to, select the profile from the list. 

  3. Select + Add Targets and then click Add Agentless Server (token-based)

  4. In the Agentless Servers modal window, select the file format that matches the target server's software and set the credentials: 

    1. If choosing PFX (for Windows IIS, Windows services, .NET applications), enter a download password. This is required and used by certutil to import certificates. 

    2. If choosing PEM (for nginx, Apache, HAProxy, Linux-based web servers), you may optionally check Encrypt PEM key and set a password to protect the private key. 

    3. If choosing JKS (for Apache Tomcat, Java applications), enter a download password. This is required and used by Java keytool. Also enter an alias name. 

  5. With + Add Single Server selected, enter the IP address of the target server. 

  6. Select the operating system (OS) type. 

  7. Enter a friendly name (label) for the server. 

  8. Click Add Server

  9. Repeat these steps for additional servers or select + Bulk Import to configure multiple servers at once using the “ip,OS,label” format. 

  10. When you are finished adding your server(s), click Save. The token and server list are now stored in the automation profile. 

Use the Agentless Feature

Start by retrieving the appropriate script that matches your target server. 

  1. From the server profile, select Manage next to the Agentless bar in the Target Servers section. 

  2. Select Show curl / PowerShell

  3. A modal window will display with the scripts for both Linux and Windows environments. Click Copy to copy the script to your clipboard. 

Now install the script on the target server. The process will be slightly different depending on the server type.

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support