Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. About the host ID-based certificate revocation list
NetBackup™ Security and Encryption Guide

About the host ID-based certificate revocation list

The NetBackup certificate revocation list (CRL) is a list of host ID-based digital security certificates that have been revoked before their expiration date. The hosts that own revoked certificates should no longer be trusted.

The NetBackup certificate revocation list conforms to the Certificate Revocation List profile that the Internet Engineering Task Force publishes in RFC 5280 at https://www.ietf.org. The NetBackup certificate authority signs the CRL. The NetBackup master server is the certificate authority. The CRL is public and does not require secure transmission. The CRL endpoint is open, free for anyone to access.

Every NetBackup host must have a valid security certificate and a valid CRL so that it can communicate with other NetBackup hosts.

How often NetBackup generates a new CRL

The NetBackup master server generates a new CRL as follows:

  • On startup.

  • Sixty minutes since the CRL was last generated.

  • NetBackup checks every 5 minutes for a newly revoked certificate. It can take NetBackup up to 5 minutes to update the web server after a certificate is revoked.

A CRL expires after 7 days.

How often a NetBackup host gets a CRL

A NetBackup host obtains a CRL when NetBackup is installed on the host. A NetBackup host also obtains a fresh CRL during an upgrade of the NetBackup software.

After installation or upgrade, each host requests a new CRL on a time interval since the host was started. (NetBackup uses a pull method to refresh host CRLs.) The NetBackup master server certificate deployment security level determines the time interval, as shown in the following table.

Table: CRL refresh interval

Security level

CRL refresh interval

Very high

Hourly

High

4 hours

Medium

8 hours

See About NetBackup certificate deployment security levels.

You can get a new CRL before its scheduled refresh period.

See Refreshing the CRL on the master server.

See Refreshing the CRL on a NetBackup host.

For more information

More Information

Overview of security certificates in NetBackup

About host ID-based certificates

About revoking host ID-based certificates

Feedback

Was this page helpful?
Previous

About expired authorization tokens and cleanup

Next

Refreshing the CRL on the master server

Feedback

Was this page helpful?