Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. About host ID-based certificates
  11. About reissuing host ID-based certificates
  13. Changing the key pair for a host
NetBackup™ Security and Encryption Guide

Changing the key pair for a host

Consider changing a key pair only if a key is compromised or leaked. Changing a key pair results in both a new host ID-based certificate and a new host name-based certificate.

The following procedure describes changing a key pair for a host, and then getting a new certificate using the new key pair.

Do not perform the procedure for a primary server, only a non-primary server host.

To change a key pair for a host

  1. The NetBackup host administrator backs up the following directories:

    On Windows: Install_path\NetBackup\var\VxSS\at\systemprofile

    On UNIX: /usr/openv/var/vxss/at/root

  2. The NetBackup host administrator removes the directory from the host.
  3. Restart the NetBackup services on the host.

  4. The primary server administrator performs the following steps:

    • Log in to the NetBackup Web Management Service:

      bpnbat -login -logintype WEB

      See Web login requirements for nbcertcmd command options.

    • Revoke the host ID-based certificate:

      nbcertcmd -revokeCertificate -host host_name

    • Generate a reissue token for the NetBackup host where the key pair is to be changed.

      See Creating a reissue token.

    • Deploy a new host name-based certificate:

      bpnbaz - ProvisionCert host_name

  5. The NetBackup host administrator uses the reissue token to deploy a new host ID-based certificate with an updated key pair.

    Use the following command to enter the token directly:

    nbcertcmd -getCertificate -force -token

    Use the following command if the token is in a file:

    nbcertcmd -getCertificate -force -file /directory/token_file

  6. If the host has more than one primary server, repeat the process beginning at step 4 for each primary server.
  7. Restart the NetBackup services on the NetBackup host where the key was changed.

Feedback

Was this page helpful?
Previous

Creating a reissue token

Next

About Token Management for host ID-based certificates

Feedback

Was this page helpful?