EDR: How to Replace Expired Custom Sensor Cert?
Article ID: 289610
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to replace an expired sensor certificate?
Environment
- EDR: All versions
Resolution
Due to the cert pinning that is used for sensor -> server comms, we can only have one unique cert in use at a time. No duplicate SAN entries are allowed in any active certificates – if a duplicate entry is found, the upload will not be allowed.
So there are two options:
1. Use a new cert with different SANs. The SANs used in the certs can be anything. Since we manually update the host's file at the sensor when the certs are deployed, there is no need to have any DNS entries for the SANs. Aside from network infrastructure that would try to intercept the SSL connection (which typically breaks cert pinning anyway), the SANs employed would not be visible to anyone. banana.edrserver.com and pear.edrserver.com for instance would be valid and completely hidden within the system.
2. Move sensors back to the legacy certificate in sensor group settings. Delete the expired certificate and re-add a new cert.
So there are two options:
1. Use a new cert with different SANs. The SANs used in the certs can be anything. Since we manually update the host's file at the sensor when the certs are deployed, there is no need to have any DNS entries for the SANs. Aside from network infrastructure that would try to intercept the SSL connection (which typically breaks cert pinning anyway), the SANs employed would not be visible to anyone. banana.edrserver.com and pear.edrserver.com for instance would be valid and completely hidden within the system.
2. Move sensors back to the legacy certificate in sensor group settings. Delete the expired certificate and re-add a new cert.
Feedback
Yes
No
Powered by
