To use the certificate management features of Carbon Black EDR and upgrade your sensors to a version that is compatible with certificate management, the best practice is to upgrade the sensors first and let the upgrades complete before applying a custom certificate to them.
This best practice reduces the possibility of communication issues due to a mismatch between the server certificate and the sensor during the upgrade. After the sensors are updated, you can apply the custom certificate.
If a sensor group is assigned a custom certificate, sensors in that group that support custom certificates cannot be downgraded to sensor versions that do not support custom certificates. Attempts at such a downgrade fail and log an error in the sensorservices debug log.