In certain scenarios, during the troubleshooting of sensor online status in carbon black edr server, there might be a need to check if both the server and the sensor are in sync when it comes to sensor group certificate and server certificate.

Hence, the need for the verification steps below to be done in the server side and the endpoint side.

Carbon black EDR server

Carbon Black EDR Server certificate:

Check if the fingerprint of the server certificate is the same in both the EDR Server and the EDR Sensor at the endpoint side:

Server side check:

[root@EDR-Server tmp]#  openssl x509 -noout -fingerprint -sha1 -in /etc/cb/certs/cb-server.crt
SHA1 Fingerprint=63:ED:DF:DD:1D:9D:8D:E7:D7:97:70:D7:ED:74:D7:D8:46:14:82:9A
[root@EDR-Server ~]# psql -d cb -p 5002 -c "SELECT sg.name AS sensor_group_name, sc.name AS server_cert_name, sc.thumbprint FROM public.sensor_groups sg JOIN public.server_certs sc ON sg.server_cert_id = sc.id;"
  sensor_group_name   | server_cert_name |                         thumbprint
----------------------+------------------+-------------------------------------------------------------
 Default Group        | Legacy           | 63:ED:DF:DD:1D:9D:8D:E7:D7:97:70:D7:ED:74:D7:D8:46:14:82:9A
 GroupWithWin10       | Legacy           | 63:ED:DF:DD:1D:9D:8D:E7:D7:97:70:D7:ED:74:D7:D8:46:14:82:9A
.....Omitted.....
 test                 | Temp_cert        | DE:A4:0F:F3:7A:8D:8B:96:DC:D7:5C:6B:76:36:F1:96:25:FF:7A:7C
 LinuxTests           | Legacy           | 63:ED:DF:DD:1D:9D:8D:E7:D7:97:70:D7:ED:74:D7:D8:46:14:82:9A

From above outputs, the first command is to check what is the server side certificate thumbprint, and the second command is to check which server certificate is assigned to the interesting sensor group

Endpoint side:

C:\Windows\System32>reg query "HKLM\SOFTWARE\CarbonBlack\Config" /v ServerThumbprint

HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\Config
    ServerThumbprint    REG_SZ    63EDDFDD1D9D8DE7D79770D7ED74D7D84614829A

From above, we can see that the Server Thumbprint string is the same in both sides, hence we can conclude that the server certificate is in sync.

Carbon Black EDR Sensor group certificate:

Below one liner will print out a table of all sensor groups along their respective Sensor group certificate (singed by cb-ca-client) thumbprint and the revocation status, if a certain group will happen to have two entries, one of these certificates will be the currently active certificate, and the other one is the previously revoked certificate

[root@EDR-Server tmp]#  psql -p 5002 cb -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" && psql -p 5002 cb -t --csv -c "SELECT sg.name, upper(encode(digest(decode(regexp_replace(regexp_replace(scc.x509_cert, '-----(BEGIN|END) CERTIFICATE-----', '', 'g'), '\s+', '', 'g'), 'base64'), 'sha1'), 'hex')), CASE WHEN scc.revocation_time IS NULL THEN 'Active' ELSE 'Revoked' END FROM sensor_groups sg LEFT JOIN sensor_client_certs scc ON scc.sensor_group_id = sg.id;" | sed '1i Group Name,Fingerprint (SHA1),Revocation_Status' | column -s, -t && psql -p 5002 cb -c "DROP EXTENSION IF EXISTS pgcrypto;"
CREATE EXTENSION
Group Name            Fingerprint (SHA1)                        Revocation_Status
Default Group         3DB2C1D3B3624D155E3A2E5CBFBA3D0DF78C5B8C  Active
GroupWithWin10        AB003072DB1412DDEDB6F64CC15AE4382952B335  Active
.....Omitted.....
test                  31B68EB6C3C98A2537C18DA5CA7B7C7B9F3FA6D0  Active
LinuxTests            19454DC446EAF367EF94B0D8CAB1809A0E31248F  Active
DROP EXTENSION

Compare the fingerprint of the sensor group to the fingerprint of the group certificate used by the sensor in the endpoint side:

C:\Windows\System32>reg query "HKLM\SOFTWARE\CarbonBlack\Config" /v sensorThumbprint

HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\Config
    sensorThumbprint    REG_SZ    3DB2C1D3B3624D155E3A2E5CBFBA3D0DF78C5B8C

By running this command, we can conclude that the sensor has the right certificate assigned to "Default Group", as this sensor is a member of this group.