The Alliance client certificate in Carbon Black EDR is generated and provided when a product license RPM is installed. Before the Carbon Black EDR Server 7.8.0 release, the Alliance certificate was signed using the SHA-1 algorithm. Because of inherent security concerns, new licenses have been introduced and client certificates are now signed using the more secure SHA-256 algorithm.

You must coordinate closely with the Broadcom Carbon Black Support team during the certificate regeneration process. By initiating a new license request and following the instructions provided by Broadcom Carbon Black Support, you can obtain a new license together with a client certificate signed using the secure SHA-256 algorithm, thereby enhancing the overall security of your system.

Procedure

  1. Initiate a new license request by contacting Broadcom Carbon Black Support.
  2. Stop the Carbon Black EDR enterprise or cluster before regenerating any certificates. This action prevents potential conflicts or issues during the regeneration.
  3. Use the cbssl certs utility to regenerate the Alliance client certificate. To do so, issue the following command. Replace <new_license_rpm_path> with the path to the new license RPM.
    usr/share/cb/cbssl certs --regenerate alliance --rpm <new_license_rpm_path>
  4. If you have a Carbon Black EDR cluster deployment, you must synchronize the regenerated certificate across the cluster. Run the following command:
    /usr/share/cb/cbcluster sync-certs --cert alliance
  5. After the certificate regeneration and applicable synchronization are complete, start the Carbon Black EDR enterprise or cluster to initiate the system with the new Alliance client certificate.