Environment
- EDR: All Supported Versions
Objective
How to create the SSL certs used for the WebUI in EDR
Resolution
Before Proceeding:
- This is procedure should only be performed when using a different port for webui from the sensors. Replacing the default self signed cert (cb-server.crt/key) all together will disconnect the sensors
To generate a new SSL certificate for the WebUI use the following commands:
1. Creating the csr and key file:
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
2. Creating the crt using the csr and key:
openssl x509 -req -days 365 -in myserver.csr -signkey myserver.key -out myserver.crt
3. Once the new certs are in the /etc/cb/certs folder, change the cb.multihome.conf file in the /etc/cb/nginx/conf.d config to point to the new certs
4.
Restart the cb-enterpise servicesAdditional Notes
- We do not support certificate requests, design, or generation; this procedure should be followed for those familiar with using OpenSSL
- This procedure will still generate a security error in the browser when accessing the WebUI, this is still a self-signed certificate with no Root CA for the browser to check against. This would required a certificate signed by an internal CA to no longer display the warning.
- By default the cb-server.crt/key handles the sensor and webui over port 443. Replacing this certificate will cause sensors to go offline as the server will have a different certificate than the sensors. To create a new sensor communication certificate, please follow the information in the user guide under "Managing Certificates" and keep the cb-server.crt/key as a fallback. Expired self-signed certs for sensor comms will still allow communication, only CA signed certs are allowed to be placed into strict validation. CB Response: What are the Strict Validation Mode Requirements by Sensor Platform?
Related Content
