Legacy Certificate

The legacy certificate serves as the default certificate for sensor-server and client-server communication. Regenerating this certificate necessitates the transfer of its usage to another server certificate, followed by regeneration and subsequent reassignment of the load.

Procedure

Upload a new custom certificate to offload the legacy certificate. See Add Certificates through the Console in the Carbon Black EDR User Guide.
Assign the newly uploaded custom certificate to all sensor groups that are currently using the default legacy certificate. See Assigning Certificates to Sensor Groups in the Carbon Black EDR User Guide.
Allow sufficient time for all relevant sensors to receive the new custom certificate. Make sure that the sensors can check in after receiving the new custom certificate. To do so:
1. Log in to the Carbon Black EDR console.
2. Go to Sensors > All Sensors.
3. Use the Server Certificate filter to verify that all sensors are mapped to the new custom server certificate.
Stop the Carbon Black EDR enterprise or cluster before regenerating any certificates. This action prevents potential conflicts or issues during the regeneration.
Regenerate the legacy certificate using one of the following options:
- To generate a new certificate, run the following command:
  /usr/share/cb/cbssl certs --regenerate legacy
- To use a custom certificate, provide the path to your certificate and key:
  /usr/share/cb/cbssl certs --regenerate legacy --server-cert-file <user_server_cert_file> --server-cert-key <user-server_cert_key>
If you have a Carbon Black EDR cluster deployment, you must synchronize the regenerated certificate across the cluster. Run the following command:
/usr/share/cb/cbcluster sync-certs --cert legacy
Start the Carbon Black EDR enterprise or cluster to activate the regenerated legacy certificate.
Assign the Legacy certificate back to the old sensor groups as required. See Assigning Certificates to Sensor Groups in the Carbon Black EDR User Guide.