certkit-agent runs on your host, registers with CertKit, polls for assigned certificate configuration, deploys certificates, runs optional reload commands, and reports inventory.

• INSTALLATION.md - install and deployment procedures (Linux, Windows, Docker sidecar)
• CLI-REFERENCE.md - command/flag reference and operational sequences
• HOW-IT-WORKS.md - architecture and security model

• CertKit account: app.certkit.io
• Registration key from your CertKit app (format similar to abc.xyz)

sudo env REGISTRATION_KEY="abc.xyz" \
bash -c 'curl -fsSL https://app.certkit.io/agent/latest/install.sh | bash'

$env:REGISTRATION_KEY="abc.xyz"
powershell -NoProfile -ExecutionPolicy Bypass -Command "iwr -useb https://app.certkit.io/agent/latest/install.ps1 | iex"

docker run --rm \
  -e REGISTRATION_KEY="abc.xyz" \
  -v ./certkit-agent:/etc/certkit-agent \
  ghcr.io/certkit-io/certkit-agent:latest

For sidecar patterns and reload-mode tradeoffs, see INSTALLATION.md.

certkit-agent install    [--key REGISTRATION_KEY] [--service-name NAME] [--config PATH]
certkit-agent uninstall  [--service-name NAME] [--config PATH]
certkit-agent run        [--key REGISTRATION_KEY] [--config PATH] [--once]
certkit-agent register   REGISTRATION_KEY [--config PATH]
certkit-agent validate   [--config PATH]
certkit-agent lock       [--config PATH]
certkit-agent unlock     [--config PATH]
certkit-agent version

Common commands:

# one-time registration + service install
sudo certkit-agent install --key abc.xyz

# foreground daemon mode
certkit-agent run

# one-shot poll/sync (for cron or ad-hoc checks)
certkit-agent run --once

# config and connectivity checks
certkit-agent validate

# lock an agent to prevent unexpected changes from the server
# certificates are still updated but commands and configurations are set
certkit-agent lock

# allows configuration updates from the server
certkit-agent unlock

Windows uninstall is typically done via Add/Remove Programs (CertKit Agent). CLI fallback is:

& "C:\Program Files\CertKit\bin\certkit-agent.exe" uninstall

Default config path:

• Linux: /etc/certkit-agent/config.json
• Windows: C:\ProgramData\CertKit\certkit-agent\config.json

A new config is created automatically if missing. Configs are agent-instance specific; do not clone a full config between hosts.

Agent lock file:

• Lock file path is <config>.lock (for example /etc/certkit-agent/config.json.lock).
• While lock file is present, poll updates only change last_certificate_update_date and latest_certificate_sha1.
• Remove lock with certkit-agent unlock (or by deleting the lock file).

• Linux
• Windows
• Docker sidecar

Auto-discovery support:

• Linux: Apache, Nginx, HAProxy, LiteSpeed
• Windows: IIS, RRAS

• Linux systemd: journalctl -u certkit-agent -f
• Linux foreground run: stdout/stderr
• Windows Event Viewer: Application log, source CertKit
• Windows service text log (fallback): C:\ProgramData\CertKit\certkit-agent\certkit-agent.log

• Validate config and connectivity: certkit-agent validate
• Verify service state: systemctl status certkit-agent or Get-Service certkit-agent
• Confirm API reachability and firewall rules to your configured CertKit API base URL

• Issues: GitHub Issues
• Email: hello@certkit.io

Elastic-2.0. See LICENSE.