Certificate management features are available on Carbon Black EDR Server versions 6.4.0 and later. How those features affect sensors depends on the sensor version and the OS platform of the sensor.

Other than expiration warnings, sensors that do not support TLS certificate management are unaffected the new certificate management settings.

Sensors that do not support certificate swaps continue using the legacy certificate provided by the server, regardless of the certificate assigned to their sensor group.

If you select Standard validation, the only requirement for a valid connection is that there is an exact hash match between the certificate on the sensor and the certificate on the server. If you select Strict validation, the exact hash match is still required, plus additional validation criteria that varies by platform.

The following list shows the sensors that are included with Carbon Black EDR Server 6.4.0 and their support for certificate management:

  • Windows sensor 6.2.3 – This and later sensors support certificate management and handles strict validation. See Special Requirement for Windows Sensors.

    Windows XP and Windows Server 2003 do not support TLS certificate swap, regardless of the Carbon Black EDR sensor version.

  • macOS sensor 6.2.5 – This and later sensors support the new certificate management features and handles strict validation as shown in the following table.

  • Linux sensor – As of the version 7.0.0 server release, Linux sensors do not support certificate management but continue to use the default “Legacy” certificate.

The following table shows the different validation criteria that are available for the sensor versions on each platform.

Strict validation mode requirements by sensor platform

Requirement

macOS Sensor 6.2.5+

Windows Sensor 6.2.3+

Exact certificate match (certificate pinning)

Yes

Yes

Expiration date

Yes

Yes

Certificate validation chain

-

Yes

Hostname matches (SAN=)

-

Yes

Writable host file

-

Yes

Revocation check

-

-

Key Usage is Server Auth (1.3.6.1.5.5.7.3.1)

-

Yes