Environment

• EDR Server: 6.2 and Above

Objective

Resolution

1. Display the active certificates

/usr/share/cb/cbssl  sensor_certs -c /etc/cb/cb.conf --list

2. Revoke the group certificate
   1. If the group still exits, use the group id or group name

      • /usr/share/cb/cbssl sensor_certs -c /etc/cb/cb.conf --revoke --group-name <groupname>

      • /usr/share/cb/cbssl sensor_certs -c /etc/cb/cb.conf --revoke --group-id <groupid>

   2. If the group has been deleted, only the cert id can be used for identification

      • /usr/share/cb/cbssl sensor_certs -c /etc/cb/cb.conf --revoke --cert-id <certid>

Additional Notes

• A deleted group will still have an active sensor certificate. A sensor matching a valid certificate of a deleted group will be moved to the default group automatically.
• Revoking a sensor certificate will issue a new client cert for active sensor groups and will update sensor installers. Any old install packages for a sensor group should not be used after the certificate is revoked. 
• The cert id is displayed with the --list switch and is 32 characters long

--- Sensor Group[1]: 'Default Group' ---
de192eb150aa4a2cbda0e64a179d88d9 - ACTIVE

• Group Ids can be found in the browser URL when selecting the group: https://<servername>/#/hosts/<groupid>
• It is a good idea to take a backup of the revocation list after the change in case of a recovery situation

/usr/share/cb/cbssl backup --out <path>/backup.certs

Related Content