A Carbon Black sensor talks to the Sensor Gateway through a certificate. The Sensor Gateway can run on both CA-signed certificate and self-signed certificate. Carbon Black recommends using the CA-signed certificates so you can install all needed certificates on all Sensor Gateway servers at once instead of installing the trusted certificate on each machine individually.

CA-Signed Certificates

When the certificate authority (CA) issues a certificate, the certificate has a fully qualified domain name (FQDN) associated with it and every browser or device that trusts the CA can talk to this certificate.

For example, if you have a CA-signed certificate called sensorgateway.example.com, when you open it up in a browser or when the Carbon Black sensor tries to communicate with the Sensor Gateway, you do not get a certificate validation error if the fully qualified domain name (FQDN) of the machine matches the certificate.

In the process of generating a CA certificate, you can assign it an IP address. When a browser or a Carbon Black sensor communicates with the Sensor Gateway at the https://sensorgateway.example.com or the IP address (available in the subject alternative names or common names), neither the browser, nor the sensor generate an error.

If you have a certificate with an IP address in the subject alternate name (SAN) and an FQDN in the common name (CN), and some sensors access the Sensor Gateway using FQDN and others through an IP address, you must register the Sensor Gateway entry point with an IP address. Therefore, when the Carbon Black Cloud sends an URL to the sensor, it modifies the URL to point to the Sensor Gateway.

Self-Signed Certificates

Similar to the CA-signed certificates, in self-signed certificates the CN that is provided at the time of generating a certificate must match the FQDN or IP address of the machine. When generating a self-signed certificate, you can provide an IP address or FQDN when prompted for a CN. For example, if you use the IP address 192.168.10.100 for the CN of a self-signed certificate, you must install this certificate on the Sensor Gateway machine that has the same IP address. Thus, when the sensors access the Sensor Gateway, the certificate is valid.