Carbon Black EDR uses the HTTPS and TLS (formerly SSL) protocols to secure communication and two-way authorization between endpoints and the server so that the endpoint communicates only with the Carbon Black EDR server that it trusts, and the server only communicates with trusted endpoints.
Prior to server version 6.4.0, Carbon Black EDR established the trust between endpoints and the server by using “certificate pinning,” which is an out-of-band, reliable and secure trust mechanism. The server built the endpoint installer packages, and those came pre-initialized with the server identity (the public portion of server’s TLS certificate). The Carbon Black EDR server acted as its own root certificate authority (CA), which allowed it to issue client-side certificates that the endpoints could use. This feature is still available and is the default option for securing server to sensor communications.
If you are satisfied with the security that is provided by the certificate generated by your Carbon Black EDR server and do not have any special compliance requirements, you can continue to use the standard certificate and validation method, which relies on certificate pinning only. Past and current sensors continue to support this method.
Beginning with Carbon Black EDR Server 6.4.0, you can choose to provide certificates signed by your organization. In addition, you can use different server certificates to authenticate the connections between the Carbon Black EDR server and different sensor groups, thereby reducing the exposure to a compromised server certificate. You can also add stricter validation methods to certificate pinning so that if a server certificate used by a sensor has expired or fails to meet other operating-system-specific criteria, server-sensor communication is disabled.
See Sensor Support for Certificate Management for information about the sensor versions that support certificate management on each operating system.
In a cluster environment, primary and minion servers use the same certificates. If you add your own certificates to the primary, they are automatically propagated to the minions within a few seconds (unless there are connection issues). No server restart is required. The required format for user-provided certificates allows them to be seamlessly used in a clustered environment.
In addition, Carbon Black EDR provides new certificate visibility features that can be useful for user-provided and Carbon Black EDR “legacy” certificates.
Currently, you can use certificates signed by your own certificate authority, but use of a certificate that requires validation by a third-party CA is not supported.
The certificate management features described here apply only to server-sensor communications. They are not used for managing other Carbon Black EDR interactions, such as the connection between the console user interface and the server.