Why Are Self-Signed Certificates Used For Sensor Communication?

search cancel

book

calendar_today

Carbon Black EDR (formerly Cb Response)

Why are self-signed certificates used for sensor communication?

Sensor to server communications use statically pinned SSL certificates for both client and server.
Internally signed CA certificates can be configured in the console see Managing Certificates.

Unlike browser-based trust models, the use of self-signed certificates for endpoint to server communication has increased security benefits.
- Browser based relies on Certificate Authorities to deploy their root certificate on all major browsers. Then each certificate for individual domains must validate ownership. A self signed certificate in a browser does not have a way to accurately get validity of the certificate.
- The sensor must first validate the certificate sent by the server against the known certificate installed with the sensor. The server must then validate the client group cert against the internally signed client CA, validate matching client certificate is active for the sensor group and validate revocation status, if these are not correct the connection is terminated. The self signed server certificate (cb-server.crt/key) and client CA (cb-client-ca.crt/key) are generated by the EDR application at the time of cbinit. Each sensor group get's a unique certificate signed by the client CA upon creation of the sensor group.
The browser will be using the cb-server.crt by default. A custom webui certificate can be used. Implementing Custom Web UI Certificates
These self signed certs provided cannot be used to access the server via SSH or gain access to the console.
If there is concern of the sensor group client certificate being compromised, these can be individually revoked. How to Revoke a Sensor Group Certificate

thumb_up Yes

thumb_down No