A Carbon Black sensor talks to the Sensor Gateway through a certificate. The Sensor Gateway can run on both CA signed certificate and self signed certificate. Carbon Black recommends using the CA signed certificates so you can install all needed certificates on all Sensor Gateway servers at once instead of installing the trusted certificate on each machine individually.

When the certificate authority (CA) issues a certificate, the certificate has a fully qualified domain name (FQDN) associated with it and every browser or device, that trust the CA, can talk to this certificate.

For example, if you have a CA signed certificate called sensorgateway.company.com, when you open it up in a browser or when the Carbon Black sensor tries to talk to the Sensor Gateway, you cannot get a certificate validation error if the certificate adheres to the https://sensorgateway.company.com website.

In the process of generating a CA certificate, you can assign it an IP address. When a browser or a Carbon Black sensor talks to the Sensor Gateway at the https://sensorgateway.company.com or the IP address (available in the Subject Alternative Names or Common Names), neither the browser, nor the sensor generate an error.

If you have a certificate with an IP address in the Subject Alternate Name (SAN) and an FQDN in the Common Name (CN), and some sensors access the Sensor Gateway using FQDN and others through an IP address – you must register your Sensor Gateway entry point with an IP address. In that way, when the Carbon Black Cloud sends an URL to the sensor, it modifies the URL to point to the Sensor Gateway.