Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. About host ID-based certificates
  11. Deleting sensitive certificates and keys from media servers and clients
NetBackup™ Security and Encryption Guide

Deleting sensitive certificates and keys from media servers and clients

In the cloning process, use the following command to remove certain sensitive certificates and keys from NetBackup media servers and clients in the following scenarios:

  • Run the command on the cloned virtual machine, which is cloned from an active NetBackup host.

  • Run the command before creating a gold image of a virtual machine for cloning.

nbcertcmd -deleteAllCertificates

Note:

This command is allowed only on media servers and clients. The command is not allowed on master servers.

This operation deletes or shreds the appropriate sensitive information (certificates and keys) from the following locations:

On Windows:

  • C:\Program Files\Veritas\NetBackup\var\VxSS\certmapinfo.json

  • C:\Program Files\Veritas\NetBackup\var\VxSS\credentials\<certificate>

    For example:

    C:\Program Files\Veritas\NetBackup\var\VxSS\credentials\ 6d92d4dd-ed2d-43de-adb1-bf333aa2cc3c

  • C:\Program Files\Veritas\NetBackup\var\VxSS\credentials\keystore\PrivKeyFile.pem (shredded)

  • C:\Program Files\Veritas\NetBackup\var\VxSS\at\systemprofile\certstore\<certificate>

    For example:

    C:\Program Files\Veritas\NetBackup\var\VxSS\at\systemprofile\ certstore\9345b05e-lilycl2nb!1556!nbatd!1556.0

  • C:\Program Files\Veritas\NetBackup\var\VxSS\at\systemprofile\certstore\keystore\PrivKeyFile.pem (shredded)

  • C:\Program Files\Veritas\NetBackup\var\VxSS\at\systemprofile\certstore\keystore\PubKeyFile.pem

On UNIX:

  • /usr/openv/var/vxss/certmapinfo.json

  • /usr/openv/var/vxss/credentials/<certificate>

    For example:

    /usr/openv/var/vxss/credentials/ f4f72ef3-2cfc-42a4-ab5a-65fd09e8b63e

  • /usr/openv/var/vxss/credentials/keystore/PrivKeyFile.pem (shredded)

  • /var/vxss/at/root/.VRTSat/profile/certstore/<certificate>

  • /var/vxss/at/root/.VRTSat/profile/certstore/keystore/PubKeyFile.pem

  • /var/vxss/at/root/.VRTSat/profile/certstore/keystore/PrivKeyFile.pem (shredded)

Feedback

Was this page helpful?
Previous

About host ID-based certificate expiration and renewal

Next

Cleaning host ID-based certificate information from a host before cloning a virtual machine

Feedback

Was this page helpful?