With the introduction of OpenSSL 1.1.1, certificates must adhere to new security standards. Failure to meet these standards will result in rejection by OpenSSL during the server-client TLS handshake process.

For more information about cb.conf, see the Carbon Black EDR Server Configuration Guide.

To facilitate the migration from legacy to the system-provided FIPS-compliant OpenSSL 1.1.1, you must scan all active certificates that Carbon Black EDR uses.

To initiate the certificate scanning process, run the following command:

# /usr/share/cb/cbssl certs --scan.

The scan output table provides detailed information for each certificate. The output varies depending on the setup and type and generation of the certificates.

The following example shows how the scan output table can appear if issues are detected with the named certificates. The scan output table provides a comprehensive overview of any issues found with the certificates. It highlights the certificate name, the current status, its location, the reason for the issue, and the recommended remedy to address the problem.

In the following table, the Status field for all certificates is Fail.

Table 1. Scanning Carbon Black EDR Issued and User-configured Certificates - Failed
Name Location Reason Remedy
Alliance /etc/cb/certs/carbonblack-alliance-client.crt Certificate files do not match.

Signing algorithm is not sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption.

 Perform the following steps in order:
  1. Contact Broadcom Carbon Black Support to get a new license RPM.
  2. Run the following commands in order:
    1. /usr/share/cb/cbcluster stop
    2. /usr/share/cb/cbssl certs --regenerate alliance --rpm <path>
    3. /usr/share/cb/cbcluster sync-certs --cert alliance
    4. /usr/share/cb/cbcluster start
Legacy /etc/cb/certs/cb-server.crt Missing key usage extension.

Signing algorithm is not sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption.

 Perform the following steps in order:
  1. To offload the Legacy certificate, upload a new custom certificate by using the Carbon Black EDR console or an API .
  2. Assign the new custom certificate to all sensor groups, using the default Legacy certificate.
  3. Wait until all relevant sensors receive the new custom certificate; then run the following commands:
    1. /usr/share/cb/cbcluster stop
    2. /usr/share/cb/cbssl certs --regenerate legacy
    3. /usr/share/cb/cbcluster sync-certs --cert legacy
    4. /usr/share/cb/cbcluster start
  4. Assign the Legacy certificate to the old sensor groups.
Client-CA /etc/cb/certs/cb-client-ca.crt Missing key usage extension.

Signing algorithm is not sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption.

CA certificate must have the Key Usage extension with the keyCertSign.

CA certificate must have the Basic Constraints extension with the CA:TRUE flag set.

 Run the following commands in order:
  1. /usr/share/cb/cbcluster stop
  2. /usr/share/cb/cbssl certs --regenerate client-ca
  3. /usr/share/cb/cbcluster sync-certs --cert client-ca
  4. /usr/share/cb/cbcluster start
  5. usr/share/cb/cbssl sensor_certs --revoke --group-name '*'
Custom Carbon Black EDR database Missing key usage extension. Perform the following steps in order:
  1. Upload new custom certificates by using the Carbon Black EDR console or an API .
  2. Assign the new certificates to the respective sensor groups.
UI /etc/cb/certs/cb-server.crt Missing key usage extension.

Signing algorithm is not sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption.

 Perform the following steps in order:
  1. Generate a new cerificate and place it in the same location.
  2. Set the cb.conf parameters SSLUICertFile and SSLUIKeyFile to this location.
  3. Set the cb.conf parameters SSLUICertFile and SSLUIKeyFile to use the same crt and key values as are being used in SSLCertFile and SSLKeyFile.

    The values are retrieved after you regenerate the Legacy certificate.

Note: The new certificate must have read permission explicitly set for cb user if you are not using the default Carbon Black EDR certs path ( /etc/cb/certs).
Redis-CA /etc/cb/certs/cb-redis-ca.crt Missing key usage extension.

Signing algorithm is not sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption.

CA certificate must have the Key Usage extension with the keyCertSign.

CA certificate must have the Basic Constraints extension with the CA:TRUE flag set.

 Perform the following steps in order:
  1. Disable RedisUseSSL in cb.conf.
  2. Run /usr/share/cb/cbssl certs --regenerate redis-ca
  3. Run /usr/share/cb/cbcluster sync-certs --cert redis
Redis /etc/cb/certs/cb-redis.crt Certificate files do not match. Missing key usage extension. Signing algorithm is not sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption. Perform the following steps in order:
  1. Disable RedisUseSSL in cb.conf.
  2. Run /usr/share/cb/cbssl certs --regenerate redis
  3. Run /usr/share/cb/cbcluster sync-certs --cert redis

What to do next: See Regenerating Certificates.