Agents

An agent in sslbrain is a set of scripts that knows how to install a certificate on a specific platform. When sslbrain deploys a certificate to a server, it is an agent that does the actual work: imports the certificate, configures the web server and restarts services as needed.

Built-in Agents

sslbrain ships with agents for the most common platforms. All built-in agents are maintained and updated by FairSSL and tested against each new version before release.

36 agent packages. The catalog matches the 36 agent packages in sslbrain-agents and is reused across the website.

Windows and Microsoft

16 agent packages

PowerShell-based agents for Windows Server, IIS, Exchange, SQL Server, and Microsoft infrastructure.

Agent	Platform	Package	Type	Description
Windows IIS 8+	IIS 8.0+ on Windows Server 2012+	`iis8plus`	FairSSL	Installs and binds certificates on IIS websites.
IIS Web Server	IIS sites and bindings	`windows-iis`	FairSSL	Discovers IIS sites and manages certificate deployment to web bindings.
IIS Central Certificate Store	IIS Central Certificate Store	`windows-ccs`	FairSSL	Deploys PFX files to CCS with hostname-based file naming.
Microsoft Exchange 2013-2019	Exchange Server 2013, 2016, and 2019	`exchange2013-2019`	FairSSL	Replaces certificates across mail and client access services.
Microsoft Exchange	Exchange Server certificates and services	`windows-exchange`	FairSSL	Discovers Exchange certificates and manages certificate installation for Exchange services.
Windows SQL Server	Microsoft SQL Server	`windows-sql`	FairSSL	Binds certificates to SQL Server instances and validates TLS.
Windows ADFS	Active Directory Federation Services	`windows-adfs`	FairSSL	Rotates ADFS service communications and SSL certificates.
Windows Certificate Authority	Active Directory Certificate Services	`windows-ca`	FairSSL	Updates AD CS certificates with verification and rollback.
Web Application Proxy	Microsoft Web Application Proxy	`windows-wap`	FairSSL	Rotates WAP certificates globally or per application.
Windows Remote Desktop	Remote Desktop Services	`windows-rdp`	FairSSL	Keeps RDP endpoints on the right certificates.
Windows SSL/TLS Bindings	HTTP.sys and netsh bindings	`windows-netsh`	FairSSL	Controls SSL/TLS bindings for services using HTTP.sys without IIS.
Windows Certificate Store	Windows Local Machine certificate store	`windows-cert-install`	FairSSL	Installs PFX certificates into the Windows Certificate Store.
Windows Server	General Windows Server inventory	`windows-os`	FairSSL	Discovers Windows certificates and handles general PFX deployment.
Dynamics NAV / Business Central	Microsoft Dynamics NAV and Business Central	`navbc-windows`	FairSSL	Manages TLS bindings for NAV/BC service instances.
Milestone XProtect	Milestone XProtect on Windows	`windows-milestone`	FairSSL	Rotates certificates for Milestone XProtect installations.
Veeam Backup & Replication	Veeam Backup & Replication	`windows-veeam`	FairSSL	Manages certificate deployment to Veeam Backup & Replication.

Linux and services

7 agent packages

SSH-based agents for web servers, mail, databases, and Linux ACME workflows.

Agent	Platform	Package	Type	Description
Nginx	Nginx over SSH	`nginx-ssh`	FairSSL	Discovers server blocks, deploys certificates, and validates reloads.
Apache	Apache 2.4+ over SSH	`apache-ssh`	FairSSL	Handles VirtualHost discovery, certificate files, and service reloads.
HAProxy	HAProxy over SSH	`haproxy-ssh`	FairSSL	Builds PEM bundles and reloads HAProxy after validation.
Apache Tomcat	Tomcat over SSH	`tomcat-ssh`	FairSSL	Updates PKCS12/JKS keystores and restarts relevant services.
Postfix	Postfix SMTP over SSH	`postfix-ssh`	FairSSL	Deploys SMTP certificates and validates Postfix configuration.
Dovecot	Dovecot IMAP/POP over SSH	`dovecot-ssh`	FairSSL	Updates Dovecot TLS configuration with rollback support.
PostgreSQL	PostgreSQL over SSH	`postgresql-ssh`	FairSSL	Installs TLS certificates with correct ownership and path handling.

Cloud certificate stores

3 agent packages

CLI/API-based agents for certificates in cloud platforms.

Agent	Platform	Package	Type	Description
AWS Certificate Manager	AWS ACM via AWS CLI	`aws-acm-api`	FairSSL	Imports and tracks certificates in AWS Certificate Manager.
Azure Key Vault	Azure Key Vault via Azure CLI	`azure-keyvault-api`	FairSSL	Manages certificates in Key Vault with Azure CLI.
Google Cloud Certificate Manager	Google Cloud Certificate Manager via gcloud CLI	`gcloud-certmanager-api`	FairSSL	Automates certificate updates in Google Cloud Certificate Manager.

Appliances, networking, and virtualization

8 agent packages

Agents for load balancers, firewalls, storage, NAS, and VMware environments.

Agent	Platform	Package	Type	Description
Citrix NetScaler / ADC	NetScaler / ADC via NITRO API	`netscaler-api`	FairSSL	Updates cert/key pairs and vserver bindings.
Cisco Secure Firewall Device Manager	Cisco Secure Firewall Threat Defense via FDM API	`cisco-fdm-api`	FairSSL	Discovers certificate inventory and binding surfaces on FDM-managed Cisco firewalls.
Kemp LoadMaster	Kemp LoadMaster via REST API v2	`kemp-loadmaster`	FairSSL	Manages certificates on Kemp LoadMaster load balancers.
pfSense	pfSense over SSH	`pfsense-ssh`	Community	Replaces firewall and webGUI certificates on pfSense.
Synology DSM	Synology DSM via Web API	`synology-dsm-api`	FairSSL	Manages NAS certificates through the DSM API.
NetApp ONTAP	ONTAP via REST API	`netapp-ontap-api`	FairSSL	Rotates certificates on NetApp ONTAP clusters.
VMware vCenter	vCenter Server via REST API	`vmware-vcenter-api`	FairSSL	Replaces vCenter management certificates.
VMware ESXi	Standalone ESXi hosts over SSH	`vmware-esxi-ssh`	FairSSL	Updates host certificates on standalone ESXi hypervisors.

Custom agents

2 agent packages

Templates for custom Linux and Windows platforms.

Agent	Platform	Package	Type	Description
Custom Linux Certificate Deployment	Arbitrary Linux services	`custom-linux`	Community	Template for file-based deployment on custom Linux services.
Custom Windows Certificate Deployment	Arbitrary Windows services	`custom-windows`	Community	Template for certificate store or file-based deployment on Windows.

Windows Service Agent

The Windows Service Agent is a lightweight MSI package installed on Windows servers. It pulls signed tasks from sslbrain via outbound HTTPS, so no open ports or WinRM configuration is required.

Deploy via GPO, SCCM or Intune. Ideal for environments with strict firewall rules.

Community Agents

Community agents are written by users and shared with all sslbrain installations. Each community agent is:

Submitted by a user
Reviewed by FairSSL for security and quality
Signed with FairSSL's ECDSA P-384 key
Made available to all sslbrain installations

Community agents cover platforms not covered by the built-in agents, e.g. Postfix, HAProxy, Tomcat, Synology or specific cloud services.

You can find community agents in sslbrain under Agents > Community. Install them with a single click.

Share a community agent

Have you built an agent that could be useful to others? Share it:

Open your custom agent in sslbrain
Click Share with community
The agent is sent to FairSSL for review

Once the agent is approved and signed, it becomes available to all sslbrain installations via Agents > Community.

Tip: We will contact you if we have questions or improvement suggestions during the review.

Custom Agents

If you have a platform not covered by either built-in or community agents, you can build your own.

sslbrain has a GUI editor for custom agents. For simple setups (e.g. copy certificate to a specific path and restart a service) no programming is needed. The editor guides you through the steps.

For more advanced needs, you can write agent scripts directly in YAML format.

GUI editor

Step-by-step wizard. No programming needed. Choose actions from a menu.

YAML editor

Full control over agent logic. Write YAML directly with all available actions and variables.

YAML Format

An agent is defined in an agent.yml file. Here is a simple example that copies a certificate and key to a server and restarts a service:

agent.yml

name: my-custom-agent
description: Installs certificate for my application
platform: linux

steps:
  - name: Copy certificate
    action: write_file
    path: /etc/myapp/tls/cert.pem
    content: "{{ certificate_pem }}"
    mode: "0644"

  - name: Copy private key
    action: write_file
    path: /etc/myapp/tls/key.pem
    content: "{{ private_key_pem }}"
    mode: "0600"

  - name: Restart application
    action: run_command
    command: systemctl restart myapp

verify:
  - name: Check TLS connection
    action: tls_check
    host: localhost
    port: 443

Variables such as {{ certificate_pem }} and {{ private_key_pem }} are replaced automatically by sslbrain during deployment.

Available variables

Variable	Contents
certificate_pem	The certificate in PEM format
private_key_pem	The private key in PEM format
chain_pem	The certificate chain (intermediate CA) in PEM format
fullchain_pem	Certificate + chain combined in PEM format

Available actions

Action	Description
write_file	Write content to a file with specified permissions
run_command	Run a command on the server
tls_check	Verify TLS connection to host:port

You can create and test custom agents directly in sslbrain's GUI editor under Agents > Custom > New agent.

Code Signing

Security is central to agents, because they are executed with elevated privileges on your servers.

All agents (built-in, community and custom) are signed:

Aspect	Detail
Signature format	ECDSA P-384 per file
Signing process	Physical touch of a YubiKey is required for each signing. No automatic batch signing.
Verification	The sslbrain server and Windows Service Agent verify the signature before execution. Invalid signatures are rejected.

Note: If FairSSL has signed an agent, a human has reviewed the code and physically approved the signing. There is no way around that step.

Custom agents you create yourself are signed with your installation's local key. They can only be executed on servers connected to your sslbrain instance.