Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Replace Expired Custom Sensor Cert?

EDR: How to Replace Expired Custom Sensor Cert?

Environment

  • EDR: All versions

Question

How to replace an expired sensor certificate?

Answer

Due to the cert pinning that is used for sensor -> server comms, we can only have one unique cert in use at a time. No duplicate SAN entries are allowed in any active certificates – if a duplicate entry is found, the upload will not be allowed.

So there are two options:

1. Use a new cert with different SANs. The SANs used in the certs can be anything. Since we manually update the host's file at the sensor when the certs are deployed, there is no need to have any DNS entries for the SANs. Aside from network infrastructure that would try to intercept the SSL connection (which typically breaks cert pinning anyway), the SANs employed would not be visible to anyone. banana.edrserver.com and pear.edrserver.com for instance would be valid and completely hidden within the system.

2. Move sensors back to the legacy certificate in sensor group settings. Delete the expired certificate and re-add a new cert.

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-14-2022
Views:
244
Contributors