If new or different certificates are assigned to any sensor group, the change of certificates is made for each sensor the next time it checks in with the server.
In addition to using the newly assigned certificate on all subsequent communications with the server, the sensor also stores certificate details locally for use on sensor restarts.
During a change of certificates, the server accepts connections from the sensors utilizing either of two server certificates: the certificate being replaced or the new certificate. Sensor-server communication is not interrupted by certificate replacement. After the connection is successfully established using the new certificate, the old certificate is overwritten and is no longer available for use by the sensor.
If the sensor cannot connect with the new certificate, it reverts to the previous sensor certificate.
For older sensor versions that do not support certificate swaps, the legacy certificate remains in place, regardless of a global or per-sensor-group certificate change. Consider reviewing which sensors support certificate management features before assigning certificates to a group. See Sensor Support for Certificate Management.
In clustered environments, certificate changes are automatically propagated to all servers within a matter of seconds, without requiring a restart.