Alert for Upcoming CrowdStrike Certificate Rotation – Red Canary Support

Issue

The CrowdStrike Falcon console shows an in-product notification banner stating Action Required: Falcon Sensor-to-Cloud SSL Certificate Rotation with the following description. User may or may not have access to CrowdStrike Customer Center to read the Tech Alert.

Action Required: In order to maintain Falcon sensor-to-cloud communications, please update impacted hosts prior to the March 16, 2026 SSL Certificate rotation as per the details in this Tech Alert.

Environment

CrowdStrike Falcon
Affected Falcon Sensor Versions

Resolution

Sensors running on affected assets in your CrowdStrike CID need to be upgraded prior to the date associated with your subdomain as seen in Step 1. To find affected assets, follow the steps below.

Use the link below for your subdomain to review a dashboard report of affected endpoints
- US-1 (April 1, 2026, 2000 UTC)
- US-2 (March 31, 2026, 2000 UTC)
- EU-1 (March 30, 2026, 2000 UTC)
- US-GOV-1 (March 23, 2026, 2000 UTC)
Alternatively, from the Falcon console, navigate to Next-Gen SIEM > Dashboards and search all dashboards for falcon_cloud_ssl_certificate_rotation to review affected endpoints
Any assets running affected Falcon sensor versions must upgrade to one of the versions listed in the table below before the deadline to prevent interruption of service and protection. See Cause section for more details

The following hyperlinks assume your CrowdStrike Falcon console is hosted on the US-1 subdomain (falcon.crowdstrike.com). If you log in to Crowdstrike from a different URL, replace the subdomain in the link's address with your own (e.g. falcon.us-2.crowdstrike.com).

Sensor Platform	Affected Versions (Must be upgraded prior to 3/16/2026)	Upgrade To
Windows	7.21 and earlier (7.16.18616 and earlier for WIN7/2008 R2)	7.24.19608 or later (7.16.18637 for WIN7/2008 R2)
Mac	7.21 and earlier	7.22 or later
Linux	7.30.18306 7.29.18202 7.28.18108 7.27.18003 7.26.17905 7.25.17804 7.24.17706 7.23.17607 7.22.17507 7.21.17406 and earlier	7.31 or later 7.30.18308 7.29.18207 7.28.18109 7.27.18004 7.25.17805 7.24.17709 7.23.17608 7.22.17508 7.21.17407
Container	7.31.7003 7.30.6901 7.29.6801 7.28.6704 7.27.6602 7.26.6506 7.25.6402 7.24.6302 7.23.6204 7.22.6104 7.21 and earlier	7.31.7004 or later 7.30.6903 7.29.6803 7.28.6705 7.27.6603 7.26.6508 7.25.6403 7.24.6303 7.23.6205 7.22.6105
KAC	7.30.2801 7.29.2704 7.28.2604 7.27.2502 7.26.2404 7.25.2303 7.23.2103 7.22.2001 7.21 and earlier	7.30.2802 or later 7.29.2705 7.28.2605 7.27.2504 7.26.2407 7.25.2305 7.23.2104 7.22.2002
VMware	7.30.801 7.28.602 7.27.501 7.26.401 7.23.105	7.30.806 or later 7.28.604 7.27.503 7.26.402 7.23.106
Android	2024.08.4080002 (4.8.0) and earlier	2024.10.4090003 (4.9.0) or later
iOS	2025.04.1 and earlier	2025.05.1 or later
Legacy Systems	N/A (all versions have newest certificates)	N/A (all versions have newest certificates)
Long-Term Visibility (LTV) Sensor for Windows IoT	6.58.17213 7.06.17807 7.19.18913	7.16.18637 for WIN7/2008 R2 7.24.19608 for all other supported Windows versions
Stand-Alone Identity Protection DC	N/A - support deprecated as of Oct 31, 2024

For guidance on how to update sensors, see Sensor Update Policies in CrowdStrike documentation.

Note: All sensor versions listed in the Upgrade To column will trust the new cert chain, though CrowdStrike recommends upgrading any unsupported assets to supported sensor versions.

Cause

The SSL certificate for the CrowdStrike Falcon console is being replaced, in advance of the cert's expiry. Older Falcon sensor versions do not support the new intermediate certificates in the cert chain and, as a result, will need to be upgraded to a newer sensor version prior to the deadlines provided. While the cert rotation was originally slated to take place on March 16, 2026, CrowdStrike has since extended this deadline.