When you install a new Carbon Black EDR server, the cbinit configuration program you run after installation installs a legacy certificate for use with the standard pinning validation method. By default, this is a certificate that the server produces.

As an alternative to the default legacy certificate, you can substitute your own certificate during the server installation process. In either case, the certificate will be named “Legacy” where certificates appear in the console, and it will be protected from deletion.


Certificates and key files added in this way must meet the requirements described in Server-Sensor Certificate Requirements.

When you substitute your own certificate using cbinit , Carbon Black EDR runs tests to confirm that the certificate is valid for this use. If the certificate passes the test, it is used for this server. If it is not valid, the default legacy certificate is used, an error message will appear, and the certificate import failure will be logged to /var/log/cb/cli . The cbinit process still continues if the substitution fails by using the default certificate instead of the one you tried to substitute.

Substitute a Legacy Certificate during Server Installation

Perform the following procedure to upload a custom “legacy” certificate during server installation.

This procedure is for substituting your certificate for the single, legacy certificate only. If you intend to use more than just the legacy certificate, use the console for any additional certificates you need. See Add Certificates through the Console.


  1. Prepare the certificate you want to use and place it and its key file in an accessible location on the system hosting the Carbon Black EDR server (the primary in a clustered environment).
  2. Enter the yum install command for installing the correct server version and wait for that process to complete. See the VMware Carbon Black EDR Server Cluster Management Guide for additional installation instructions.
  3. When the installation completes, run the following command, providing the arguments and file paths to the certificate file and the key file as shown here:
    cd /usr/share/cb
    sudo cbinit --server-cert-file=<certpath> --server-cert-key=<keypath>
  4. If the certificate and key files pass all tests, they become the default server certificate and key, and are copied into the server as /etc/cb/certs/cb-server.crt and /etc/cb/certs/cb-server.key.