Generating SSL Certs for the EDR WebUI
search cancel

Generating SSL Certs for the EDR WebUI


Article ID: 285760


Updated On:


Carbon Black EDR (formerly Cb Response)


How to create the SSL certs used for the EDR WebUI. 


  • EDR: All Supported Versions


Before Proceeding: 

  • This is procedure should only be performed when using a different port for webui from the sensors. Replacing the default self signed cert (cb-server.crt/key) all together will disconnect the sensors

To generate a new SSL certificate for the WebUI use the following commands:

1. Creating the csr and key file:

openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

2. Creating the crt using the csr and key:

openssl x509 -req -days 365 -in myserver.csr -signkey myserver.key -out myserver.crt

3. Once the new certs are in the /etc/cb/certs folder, change the cb.multihome.conf file in the /etc/cb/nginx/conf.d config to point to the new certs

4. Restart the EDR services.

Additional Information

  • We do not support certificate requests, design, or generation; this procedure should be followed for those familiar with using OpenSSL
  • This procedure will still generate a security error in the browser when accessing the WebUI, this is still a self-signed certificate with no Root CA for the browser to check against. This would required a certificate signed by an internal CA to no longer display the warning. 
  • By default the cb-server.crt/key handles the sensor and webui over port 443. Replacing this certificate will cause sensors to go offline as the server will have a different certificate than the sensors. To create a new sensor communication certificate, please follow the information in the user guide under "Managing Certificates" and keep the cb-server.crt/key as a fallback. Expired self-signed certs for sensor comms will still allow communication, only CA signed certs are allowed to be placed into strict validation. See: What are the Strict Validation Mode Requirements by Sensor Platform?