How to generate self-signed certificate for CBC sensor gateway
search cancel

How to generate self-signed certificate for CBC sensor gateway

book

Article ID: 381390

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard

Issue/Introduction

This KB article is created to explain how to generate a self-signed certificate for Carbon Black Cloud Sensor Gateway (CBC SGW).

SGW administrator might need to generate a self-signed certificate in below cases, but not limited to these mentioned:

  1. There is a need to change the IP address or the FQDN configured previously in the SGW.
  2. The default self-signed certificate was not generated during the creation of SGW due to a failure in acquiring an IP address via DHCP during the initial installation.
  3. There are no certificates available under /opt/vmware/sgw/data/certs/ directory.
  4. The administrator wants to switch from CA signed certificate to self-signed certificate temporarily while renewing the CA signed certificate

 

Environment

SGW 1.2+

Resolution

Instructions for generating the self-signed certificate and configuring SGW with that certificate:

  1. The self-signed certificate can be generated using the SGW machine CLI, go to /tmp/ or escalate to root using su and go to /opt/vmware/sgw/data/certs
  2. Copy below details to openssl-san.cnf file and modify the values below accordingly. IP.1 is your sgw ip address, hence modify it and DNS.2 is the FQDN of SGW, remove the DNS.2 line if you do not use FQDN for the SGW machine.
    [req]
    default_bits        = 2048
    distinguished_name  = req_distinguished_name
    req_extensions      = req_ext
    x509_extensions     = v3_req
    prompt              = no
    [req_distinguished_name]
    C  = Country
    ST = State
    L  = City
    O  = Organization
    OU = Organizational Unit
    CN = SGW_IP_ADDRESS_OR_FQDN

    [req_ext]
    subjectAltName = @alt_names

    [v3_req]
    keyUsage = digitalSignature
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names

    [alt_names]
    DNS.1 = localhost
    DNS.2 = SGW_FQDN_REMOVE_THIS_LINE_IF_YOU_DONOT_USE_FQDN
    IP.1 = SGW_IP_ADDRESS
    IP.2 = 127.0.0.1
    IP.3 = 172.17.0.1
    IP.4 = 172.18.0.1

    Note:
    Do not use long names under req_distinguished_name section for example instead of (United State of America use US) otherwise the generation will fail.
    It is not recommended to change not highlighted values in above details.


  3. Execute below command, which will generate two files server.crt and server.key 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
      -keyout server.key \
      -out server.crt \
      -config openssl-san.cnf
  4. Copy the content of both resulting files to a text file to use them in step 5
  5. Run configure-sgw and choose the "tls settings">"Sensor Gateway">"Sensor Gateway Certificate">Paste the content of server.crt here and click Ctrl-d twice
  6. Select the option "Sensor Gateway Certificate Private Key">Click Enter to skip entering the password, then paste the content of server.key file and click Ctrl-d twice to exit.
  7. Click Back>Back>Save&quit, then confirm the changes by answering y.
  8. The certificate at this point should have been renewed.
  9. Push the self-signed certificate to the trust store of all your endpoint machines that are expected to communicate with the CBC Sensor Gateway.

Additional Information

  • KeyUsage: KeyEnrichment is not supported.
  • Key length:4096 is supported.
Powered by Wolken Software