Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. About host ID-based certificates
  11. Setting up trust with the master server (Certificate Authority)
NetBackup™ Security and Encryption Guide

Setting up trust with the master server (Certificate Authority)

Each NetBackup host must first trust the NetBackup master server, which acts as the Certificate Authority (CA). Trust is essential so that the host can request a host ID-based certificate. The CA certificate can be used to authenticate other hosts in the domain, and is stored in the trust store of each host. Setting up trust involves requesting a certificate from the master server.

See Automatic host ID-based certificate deployment.

Adding a CA certificate to a host's trust store

Run the nbcertcmd -listCACertDetails command to see the list of CA certificates that are in the host's trust store. The output displays all of the master servers that the host already trusts.

To establish trust with the master server (CA)

  1. The host administrator must have the Root Certificate Fingerprint that was communicated to them through an authentic source. The source was most likely the master server administrator, who communicated the fingerprint by email, by file, or on an internal website. The following topic describes that process:

    See Finding and communicating the fingerprint of the certificate authority.

  2. From the NetBackup host, run the following command:

    nbcertcmd -getCACertificate -server master_server_name

  3. In the confirmation output, enter y to proceed.

    For example:

    nbcertcmd -getCACertificate -server master1
Authenticity of root certificate cannot be established.
The SHA1 fingerprint of root certificate is B8:2B:91:E1:4E:78:D2:
25:86:4C:29:C5:92:16:00:8D:E8:2F:33:DD.

    Note:

    The fingerprint that is displayed must match the Root Certificate Fingerprint that the host administrator has received from the master server administrator. Enter y to give consent to add the CA certificate to the trust store of the host.

    Are you sure you want to continue using this certificate ? (y/n): y
The validation of root certificate fingerprint is successful.
CA certificate stored successfully.
  4. Next, the administrator performs the following task:

    See Deploying host ID-based certificates.

For information about this command, see the NetBackup Commands Reference Guide.

Adding a CA certificate via message in the NetBackup Administration Console

The NetBackup Administration Console and the Backup, Archive, and Restore user interfaces communicate with NetBackup hosts (master server, media server, or client) over a secure channel. NetBackup secures this channel using a NetBackup host ID-based or a host name-based security certificate that the NetBackup Certificate Authority (CA) issues.

Figure: Message inquiring whether to add a Certificate Authority (CA) to the trust store displays in the NetBackup Administration Console in the following situation: A user is running the NetBackup Administration Console on a NetBackup host. The user tries to connect to another NetBackup host (a target host) using the NetBackup Administration Console. However, the CA that issued the security certificate to the target host is not in the trust store of the host where the user launched the console.

Figure: Message inquiring whether to add a Certificate Authority (CA) to the trust store

Message inquiring whether to add a Certificate Authority (CA) to the trust store

To verify the CA fingerprint that the dialog displays, see the following topic:

See Finding and communicating the fingerprint of the certificate authority.

If the user selects Yes in this message, the CA is added to the trust store of the host where the console is running. This host will then trust all hosts that have a certificate signed by the CA that is listed in the message.

Feedback

Was this page helpful?
Previous

Implication of clock skew on certificate validity

Next

Finding and communicating the fingerprint of the certificate authority

Feedback

Was this page helpful?