You must regenerate all certificates that the cbssl certs --scan
utility identifies as incompatible.
Caution: You must approach the regeneration process with utmost care. Misconfiguring certain certificates, such as the
client-ca
and server (
legacy
and
custom
) certificates used to authenticate and encrypt sensor-server communication, can lead to a complete failure in communication between the two components.
When regenerating certificates, adhere to the following guidelines:
- Back up existing certificates. Before initiating the regeneration process, make sure that you have a secure backup of all existing certificates. The backup allows you to revert to the previous state if needed.
Use the following command to back up your certificates:
# /usr/share/cb/cbssl backup --out <backup_file_name>
- Understand certificate dependencies. Consider the dependencies between certificates, especially those that are related to sensor-server communications. Make sure that the new certificates are properly configured to maintain uninterrupted communication between the server and sensors.
- Follow recommended practices. Consult the Carbon Black EDR documentation or seek assistance from Support to understand the recommended practices for certificate regeneration. Adhering to these guidelines will help prevent any potential misconfiguration or disruption in communication.
- Testing and verification. After regenerating and implementing new certificates, thoroughly test and verify the functionality of the sensor-server communication. Make sure that all necessary endpoints are accessible and online, and that the system operates as intended.
By approaching the certificate regeneration process with caution and following the recommended practices, you can avoid communication failures and ensure a smooth transition to the updated certificates.