EDR: What SANs are Required for Sensor-Server Custom Certificates?
search cancel

EDR: What SANs are Required for Sensor-Server Custom Certificates?

book

Article ID: 285291

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

The custom certificate for sensor-server communication requires two SANs. What should be used on the two SANs?

Environment

  • EDR Server: 6.4.x and Higher

Resolution

Two SAN's are required. One is for Master, second is for Minion communication (or future growth, see Notes)
  • SAN must not match the FDQN of the EDR Server
  • If doing multiple sensor groups, the SAN needs to be different for each group
  • For EDR Hosted servers, sensor.<hostedname> should not be used
DNS mapping is not required for the SAN. The sensor will update the hosts file on the endpoint with the two SAN entries to properly map to the DNS lookup of the Server URL provided in the sensor groups page.

Additional Information

  • DNS mapping is not required for the SAN.
  • The sensor will update the hosts file on the endpoint with the two SAN entries to properly map to the DNS lookup of the Server URL provided in the sensor groups page.
  • The feature utilizes nginx vhosts to intercept the SAN and forward to the correct certificate check on the server side. 
  • Configurations are written to /var/cb/nginx/vhosts/server_X.conf.
  • The Server-Sensor Certificate Requirements section of the user guide has more certificate information.
  • These are virtual names being used to route the certificate matching internally in the product and do not need to match an actual servername in the environment.
  • Two SANS are required in case a single node instance has to be turned into a cluster in the future.

Example: Server Name of "MyEDR"
  • Sensor Certificate 1 SAN: cb1, cb2
  • Sensor Certificate 2 SAN: cb3, cb4
Powered by Wolken Software