6.6 Legacy Windows Installs

Install the CertKit Agent on older Windows Server hosts.

Windows Server 2012 R2 and some older Windows Server 2016 builds may use older .NET/PowerShell defaults for outbound HTTPS requests. When that happens, the CertKit Agent binary will run normally, but the bootstrap command can fail before it downloads the installer.

The common symptom is an Invoke-WebRequest or Invoke-RestMethod error such as Could not create SSL/TLS secure channel. Tell Windows PowerShell to use TLS 1.2 before making the HTTPS request.

TLS 1.2 in PowerShell

Set the current Windows PowerShell process to use TLS 1.2:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

This setting only applies to the current PowerShell process. If your command starts a new PowerShell.exe process, set TLS 1.2 inside that process too.

Legacy Windows Install Example

Run this from an elevated 64-bit Windows PowerShell prompt and replace your.registration_key_here with the registration key from the CertKit Agents page.

$env:REGISTRATION_KEY="your.registration_key_here"
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command "
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    Invoke-WebRequest -UseBasicParsing https://app.certkit.io/agent/latest/install.ps1 |
    Invoke-Expression
"

The hosted install.ps1 script also sets TLS 1.2 before it downloads the agent binary from GitHub. The extra line above fixes the first request, where Windows has to download install.ps1 from CertKit.

Legacy Windows Checklist

  • Use elevated PowerShell: The installer creates a Windows service, writes under C:\Program Files\CertKit, creates C:\ProgramData\CertKit\certkit-agent\config.json, registers an Event Viewer source, and installs certificates into the Local Machine certificate store.
  • Use 64-bit Windows PowerShell: The installer selects the agent binary from $env:PROCESSOR_ARCHITECTURE. On 64-bit Windows Server, run the normal System32 Windows PowerShell, not the 32-bit SysWOW64 shell.
  • Keep root certificates current: Legacy hosts with stale root CAs can still fail HTTPS validation even after enabling TLS 1.2. Confirm the server trusts the certificate chains used by app.certkit.io, api.github.com, and github.com.
  • Leave -UseBasicParsing in place: Older Windows PowerShell versions can depend on Internet Explorer components for HTML parsing unless -UseBasicParsing is specified.

Verify the Install

After installation, use these commands from an elevated PowerShell prompt:

Get-Service certkit-agent
Get-Content "C:\ProgramData\CertKit\certkit-agent\certkit-agent.log" -Tail 200
& "C:\Program Files\CertKit\bin\certkit-agent.exe" validate --config "C:\ProgramData\CertKit\certkit-agent\config.json"