You can choose one of two validation methods that sensors use for the server certificates that are used to secure server-sensor communication.
The validation method can be set through the following console method or by providing a value in the cb.conf file for CbServerSSLCertStrictCheck
, in which case it cannot be changed in the console. For more information about cb.conf, see the Carbon Black EDR Server Configuration Guide.
If the standard validation method (certificate pinning only) is used, certificate expiration does not interrupt server-sensor communication, although an expiration warning will appear if this is configured. The only requirement is that the server and sensor certificates match.
If strict certificate validation is used, the requirements of standard validation must still be met, but additional checks are done on the sensor side. A certificate that has expired or fails any other validation requirements causes server-sensor communication to be disabled. See Sensor Support for Certificate Management for the validation requirements on different sensor platforms.
Do not enable strict validation if you are using the legacy certificate created during Carbon Black EDR server installation. Using strict validation for this or any other certificate that cannot pass validation will disable communication between the sensor and server on some sensors that support the certificate management features, and can require uninstalling and reinstalling sensors.
Change the Validation Method for Server Certificates
Perform this procedure to change the validation method for server certificates.