You can choose one of two validation methods that sensors use for the server certificates that are used to secure server-sensor communication.

The validation method can be set through the following console method or by providing a value in the cb.conf file for CbServerSSLCertStrictCheck, in which case it cannot be changed in the console. For more information about cb.conf, see the Carbon Black EDR Server Configuration Guide.

If the standard validation method (certificate pinning only) is used, certificate expiration does not interrupt server-sensor communication, although an expiration warning will appear if this is configured. The only requirement is that the server and sensor certificates match.

If strict certificate validation is used, the requirements of standard validation must still be met, but additional checks are done on the sensor side. A certificate that has expired or fails any other validation requirements causes server-sensor communication to be disabled. See Sensor Support for Certificate Management for the validation requirements on different sensor platforms.

Caution:

Do not enable strict validation if you are using the legacy certificate created during Carbon Black EDR server installation. Using strict validation for this or any other certificate that cannot pass validation will disable communication between the sensor and server on some sensors that support the certificate management features, and can require uninstalling and reinstalling sensors.

Change the Validation Method for Server Certificates

Perform this procedure to change the validation method for server certificates.

Procedure

  1. Click Username > Settings.
  2. Click Server Certificates.
  3. Two radio buttons/options appear under Server certificate validation mode:
    • Standard validation – Sensors will only require that their certificate matches the server certificate when connecting.

    • Strict certificate validation – Sensors will require that a matching certificate is valid on the host machine when connecting. This includes checking whether the certificate has expired.

    If the button for the method you want to use is not selected, click it.
  4. Click the Save changes button and click Confirm.
    The change will be propagated to all sensors that support TLS server certificate management during their next checkin.
    Caution:

    As the confirmation dialog states, changing validation method can disable communication between sensor and server. Make sure that you have configured certificates properly before changing this setting, especially if you are changing to strict validation.