EDR: Sensors Go Offline After Revoking a Group Certificate
search cancel

EDR: Sensors Go Offline After Revoking a Group Certificate


Article ID: 287960


Updated On:


Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)


After revoking a sensor group client certificate, sensors in that group go offline


  • EDR Server: 7.5.0 +


Revoking a client group cert is meant to be used in the event that there is a suspected bad actor. This is expected behavior


If many sensors are now offline and need to be reconnected, the following steps can be performed
  1. Find the cert id by your group id
    psql -p 5002 cb -c "select id from sensor_client_certs where sensor_group_id = <group_id>;"
  2. Update postgres by removing the revocation_time from the cert
    psql -p 5002 cb -c "update sensor_client_certs set revocation_time = null where id = '<cert_id_here>';"
  3.  Reload the cert into cb-datagrid
    /usr/share/cb/cbdatagrid evict SensorClientCert <cert_id_here>
  4. Give it time for sensors to connect and get the updated cert, then revoke the old cert again
    /usr/share/cb/cbssl sensor_certs --revoke --cert-id=<cert_id_here>

Additional Information

To avoid this from happening, the following steps should be performed
  1. Move all sensors from the group to be revoked into another group, giving them some time to check in and get the update (a few hours to be safe)
  2. Revoke the cert
  3. Move the sensors back