CB Response: How to revoke a sensor group certificate version 6.1 and below
search cancel

CB Response: How to revoke a sensor group certificate version 6.1 and below

book

Article ID: 292293

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to revoke or invalidate a sensor certificate for a group in CB Response server 6.1 and below

Environment

  • CB Response Server: 6.1.x and Below

Resolution

  1. Display the active certificates
/usr/share/cb/cbssl sensor-certs --list
  1. Revoke the group certificate
    1. If the group still exits, use the group id or group name
/usr/share/cb/cbssl sensor-certs --revoke --group-id <groupid>

/usr/share/cb/cbssl sensor-certs --revoke --group-name <groupname>
  1. If the group has been deleted, only the cert is can be used for identification
/usr/share/cb/cbssl sensor-certs --revoke --cert-id <certid>



 

Additional Information

  • A deleted group will still have an active sensor certificate. A sensor matching a valid certificate of a deleted group will be moved to the default group automatically.
  • Revoking a sensor certificate will issue a new client cert for active sensor groups and will update sensor installers. Any old install packages for a sensor group should not be used after the certificate is revoked. 
  • The cert id is displayed with the --list switch and is 32 characters long
--- Sensor Group[1]: 'Default Group' ---
de192eb150aa4a2cbda0e64a179d88d9 - ACTIVE
  • Group Ids can be found in the browser URL when selecting the group: https://<servername>/#/hosts/<groupid>
  • It is a good idea to take a backup of the revocation list after the change in case of a recovery situation
/usr/share/cb/cbssl backup --out <path>/backup.certs
Powered by Wolken Software