Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. About revoking host ID-based certificates
  11. Removing trust between a host and a master server
NetBackup™ Security and Encryption Guide

Removing trust between a host and a master server

A NetBackup host can trust multiple Certificate Authorities (master servers) at any time. For various reasons, it may be necessary for a NetBackup host to remove trust from a master server that previously had been trusted.

For example, if a NetBackup client is moved from one master server to another, it is advisable to remove trust from the first master server. Security best practices suggest trusting the fewest entities required to function correctly. Also, if a NetBackup host no longer needs to communicate with hosts from a specific NetBackup domain, remove the CA certificate for that master from the trust store of the host.

Note:

Removing a CA certificate does not remove the host ID-based or host name-based certificates that the host may have obtained from that CA. The nbcertcmd -listCertDetails continues to show the host ID-based certificate.

When the CA certificate is removed from a host, the host ID-based certificate issued by that CA will not automatically renew because the host no longer trusts the CA. The host ID-based certificate eventually expires.

Removing trust between a host and a master server

  1. The administrator of the non-master host runs the following command on the host to determine the CA certificate fingerprint of the master server:

    nbcertcmd -listCACertDetails

    In this example output, the host has certificates from two master servers:

    nbcertcmd -listCACertDetails 
     Subject Name : /CN=nbatd/OU=root@master1.abc.com/O=vx
       Start Date : Aug 23 14:16:44 2016 GMT
      Expiry Date : Aug 18 15:31:44 2036 GMT
 SHA1 Fingerprint : 7B:0C:00:32:96:20:36:52:92:E8:62:F3:56:
74:8B:E3:2E:4F:22:4C

     Subject Name : /CN=nbatd/OU=root@master2.xyz.com/O=vx
       Start Date : Aug 25 12:09:55 2016 GMT
      Expiry Date : Aug 20 13:24:55 2036 GMT
 SHA1 Fingerprint : 7A:C7:6E:68:71:6B:82:FD:7E:80:FC:47:F6:
8D:B2:E1:40:69:9C:8C
  2. The administrator wants to remove trust to the second master server and runs the following command on the host:
    nbcertcmd -removeCACertificate  - fingerprint 7A:C7:6E:68:71:
6B:82:FD:7E:80:FC:47:F6:8D:B2:E1:40:69:9C:8C

    Include the entire fingerprint, including the colons.

    Warning:

    This command removes the CA certificate from the trust store. The trust store is referred to by NetBackup services and by the NetBackup Web Management Console service (nbwebsvc).

  3. The NetBackup Administration Console on the master server displays the certificate state as Active. However, that certificate does not automatically renew and eventually expires. The NetBackup administrator should revoke the certificate of the host if the host is no longer going to be part of the NetBackup domain.

Feedback

Was this page helpful?
Previous

About revoking host ID-based certificates

Next

Revoking a host ID-based certificate

Feedback

Was this page helpful?