EDR: What SANs are Required for Sensor-Server Custom Certificates?

EDR: What SANs are Required for Sensor-Server Custom Certificates?

Environment

  • EDR Server: 6.4.x and Higher

Question

The custom certificate for sensor-server communication requires two SANs. What should be used on the two SANs?

Answer

Two SAN's are required. One is for Master, second is for Minion communication (or future growth, see Notes)
  • SAN must not match the FDQN of the EDR Server
  • If doing multiple sensor groups, the SAN needs to be different for each group
  • For EDR Hosted servers, sensor.<hostedname> should not be used
DNS mapping is not required for the SAN. The sensor will update the hosts file on the endpoint with the two SAN entries to properly map to the DNS lookup of the Server URL provided in the sensor groups page.

Additional Notes

  • DNS mapping is not required for the SAN.
  • The sensor will update the hosts file on the endpoint with the two SAN entries to properly map to the DNS lookup of the Server URL provided in the sensor groups page.
  • The feature utilizes nginx vhosts to intercept the SAN and forward to the correct certificate check on the server side. 
  • Configurations are written to /var/cb/nginx/vhosts/server_X.conf.
  • The Server-Sensor Certificate Requirements section of the user guide has more certificate information.
  • These are virtual names being used to route the certificate matching internally in the product and do not need to match an actual servername in the environment.
  • Two SANS are required in case a single node instance has to be turned into a cluster in the future.

Example: Server Name of "MyEDR"
  • Sensor Certificate 1 SAN: cb1, cb2
  • Sensor Certificate 2 SAN: cb3, cb4

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
476
Contributors