Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. About host ID-based certificates
  11. Forcing or overwriting certificate deployment
NetBackup™ Security and Encryption Guide

Forcing or overwriting certificate deployment

In some situations it may be necessary to use the -force option with the nbcertcmd -getCertificate command. For example, to force certificate deployment to a host or to overwrite the existing host ID-based certificate information and fetch a new certificate.

Forcing certificate deployment

A host may already have a host ID-based certificate, but needs to overwrite the old certificate with a new one. This is required, for example, when a primary server is replaced with a new server. Since the clients have the old certificate to the old server, when the nbcertcmd -getCertificate command is run on the clients, it fails with the following error:

Certificate already exists for the server.

Use the following procedure to overwrite the existing host ID-based certificate information and fetch a new certificate.

To force certificate deployment on a host

  • The host administrator runs the following command on the non-primary host:

    nbcertcmd -getCertificate -server primary_server_name -force

    • Depending on the security setting on the primary server, a token may also need to be specified.

      See Creating authorization tokens.

    • Use the -cluster option to deploy a cluster certificate.

Overwrite the existing host ID-based certificate information and fetch a new certificate

A host may have been issued a certificate, but over time the certificate has become corrupted or the certificate file has been deleted.

The administrator of the non-primary host can run the following command to confirm the condition of the certificate:

nbcertcmd -listCertDetails

  • If the certificate is corrupt, the command fails with the following error:

    Certificate could not be read from the local certificate store.

  • If no certificate details display, the certificate is not available.

Use the following procedure to overwrite the existing host ID-based certificate information and to fetch a new certificate.

To fetch a new host ID-based certificate

  • The host administrator runs the following command on the non-primary host:

    nbcertcmd -getCertificate -force

    • Depending on the security setting on the primary server, a token may also need to be specified.

      See Creating authorization tokens.

    • Use the -cluster option to deploy a cluster certificate.

Feedback

Was this page helpful?
Previous

Finding and communicating the fingerprint of the certificate authority

Next

Retaining host ID-based certificates when reinstalling NetBackup on non-primary hosts

Feedback

Was this page helpful?