Apply Custom Certificates for Sensor-to-Server Communications
search cancel

Apply Custom Certificates for Sensor-to-Server Communications

book

Article ID: 287650

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

To assign custom certificates for sensor-to-server communications.

Environment

  • EDR Server:  All supported versions

Resolution

1) Add custom certificates and keys to the EDR Console.  Certificate requirements summary is in the Additional Notes section.
a.  In the EDR Console, Username > Settings > Server Certificates > Add certificate.
b.  Provide a unique name (no spaces and less than 50 characters).
c.  Upload the certificate using Upload certificate > Choose File
d.  Upload the private key using Upload private key > Choose File
e.  Click Add button.
Once it passes multiple checks, the new certificate is stored in the Postgres database and is listed on the Server Certificates page.
 
2) Confirm the new certificate is listed.
a.  In the EDR Console, Username > Settings > Server Certificates confirm the new certificate is listed.
 
3)  Apply the new certificate to a sensor group (new or existing).
a.  In the EDR Console, Sensors > Settings > General > Assign Server Certificate
b.  Use the drop down to select the new certificate.
c.  Hit Save Group at the bottom of the page to save settings.

Additional Information

  • Certificates signed by your own certificate authority are permitted, however use of a certificate that requires third-party CA is not supported.
  • Requirements for sensor-to-server certificates (Refer to the EDR User Guide, Chap 7 for a full description of each requirement):
    • Valid certificate and key pair recognized by OpenSSL library
    • Must be in unencrypted ASCII PEM format
    • Must have valid dates.
    • Must have two distinct SAN DNS entries.
    • SAN DNS entries must meet the standards for hostname formatting.
    • CN field is not used, local DNS is used.
    • No duplicate SAN entries are allowed in any active certificates.