When you install a new Carbon Black EDR server, the cbinit
configuration program you run after installation installs a legacy certificate for use with the standard pinning validation method. By default, this is a certificate that the server produces.
As an alternative to the default legacy certificate, you can substitute your own certificate during the server installation process. In either case, the certificate will be named “Legacy” where certificates appear in the console, and it will be protected from deletion.
Certificates and key files added in this way must meet the requirements described in Server-Sensor Certificate Requirements.
When you substitute your own certificate using cbinit
, Carbon Black EDR runs tests to confirm that the certificate is valid for this use. If the certificate passes the test, it is used for this server. If it is not valid, the default legacy certificate is used, an error message will appear, and the certificate import failure will be logged to /var/log/cb/cli
. The cbinit
process still continues if the substitution fails by using the default certificate instead of the one you tried to substitute.
Substitute a Legacy Certificate during Server Installation
Perform the following procedure to upload a custom “legacy” certificate during server installation.
This procedure is for substituting your certificate for the single, legacy certificate only. If you intend to use more than just the legacy certificate, use the console for any additional certificates you need. See Add Certificates through the Console.