You can update the SSL certificate on a Sensor Gateway when the certificate is about to expire or it has been compromised.

While changing the certificate, avoid getting the sensors permanently disconnected from the Carbon Black Cloud.

Prerequisites

Verify that all sensors are connected to the Sensor Gateway to access and download the new certificate.

Procedure

  1. Obtain a new certificate.
    The new certificate must have the same common name (CN) as the current certificate.
  2. Navigate to the Settings > API Access > Sensor Gateways tab and double-click the Sensor Gateway for which you must renew the certificate.
  3. Locate the Certificate field and click Update.
  4. Click Upload File, select the newly obtained certificate, and upload it.
    The Carbon Black Cloud sends the new certificate to all sensors connected to the Cloud through this Sensor Gateway. Then, each sensor sends a status back to the Cloud confirming if it has successfully accepted the new certificate.
  5. To see errors reported by the connected to the Sensor Gateway sensors, navigate to the Inventory > VM Workloads > Enabled tab.
    1. Select the Sensor Gateway from the Sensor Gateway filter facet.
    2. Select Errors from the Status filter facet.
    3. To see the details for the sensor reporting the error, double-click the relevant row.
    Note: Continue with updating the certificate on the Sensor Gateway only if there are no errors reported by the sensors in the Carbon Black Cloud console.
  6. Replace the SSL certificate on the Sensor Gateway.
    1. Rename the new certificate to sgw_certificate.pem and its private key to sgw_key.pem
    2. Copy the new certificate public and private keys to the /data/certs folder on the Sensor Gateway device.
    3. Restart the Sensor Gateway by first retrieving its container ID sudo docker ps -a and then running the command sudo docker restart <contained id>.

Results

It takes up to five minutes for the Sensor Gateway to register again with the Carbon Black Cloud.