6.6 Legacy Windows Installs
Install the CertKit Agent on older Windows Server hosts.
Windows Server 2012 R2 and some older Windows Server 2016 builds may use older .NET/PowerShell defaults for outbound HTTPS requests. When that happens, the CertKit Agent binary will run normally, but the bootstrap command can fail before it downloads the installer.
The common symptom is an Invoke-WebRequest or Invoke-RestMethod error such as Could not create SSL/TLS secure channel. Tell Windows PowerShell to use TLS 1.2 before making the HTTPS request.
TLS 1.2 in PowerShell
Set the current Windows PowerShell process to use TLS 1.2:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
This setting only applies to the current PowerShell process. If your command starts a new PowerShell.exe process, set TLS 1.2 inside that process too.
Legacy Windows Install Example
Run this from an elevated 64-bit Windows PowerShell prompt and replace your.registration_key_here with the registration key from the CertKit Agents page.
$env:REGISTRATION_KEY="your.registration_key_here"
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command "
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -UseBasicParsing https://app.certkit.io/agent/latest/install.ps1 |
Invoke-Expression
"
The hosted install.ps1 script also sets TLS 1.2 before it downloads the agent binary from GitHub. The extra line above fixes the first request, where Windows has to download install.ps1 from CertKit.
Legacy Windows Checklist
- Use elevated PowerShell: The installer creates a Windows service, writes under
C:\Program Files\CertKit, createsC:\ProgramData\CertKit\certkit-agent\config.json, registers an Event Viewer source, and installs certificates into the Local Machine certificate store. - Use 64-bit Windows PowerShell: The installer selects the agent binary from
$env:PROCESSOR_ARCHITECTURE. On 64-bit Windows Server, run the normalSystem32Windows PowerShell, not the 32-bitSysWOW64shell. - Keep root certificates current: Legacy hosts with stale root CAs can still fail HTTPS validation even after enabling TLS 1.2. Confirm the server trusts the certificate chains used by
app.certkit.io,api.github.com, andgithub.com. - Leave
-UseBasicParsingin place: Older Windows PowerShell versions can depend on Internet Explorer components for HTML parsing unless-UseBasicParsingis specified.
Verify the Install
After installation, use these commands from an elevated PowerShell prompt:
Get-Service certkit-agent
Get-Content "C:\ProgramData\CertKit\certkit-agent\certkit-agent.log" -Tail 200
& "C:\Program Files\CertKit\bin\certkit-agent.exe" validate --config "C:\ProgramData\CertKit\certkit-agent\config.json"