Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. External CA and external certificates
  9. About external certificate configuration for a clustered primary server
  11. Configuring an external certificate for a clustered primary server
NetBackup™ Security and Encryption Guide

Configuring an external certificate for a clustered primary server

Use this section to configure an external CA-signed certificate for a clustered primary server. The enrolled certificate is used for host communication.

Requirements

  • Ensure that the NetBackup domain is enabled to use external CA-signed certificates by configuring the NetBackup web server.

    See Configuring an external certificate for the NetBackup web server.

  • Ensure that external certificates for the NetBackup web server and the virtual name are issued by the same certificate authority.

    If the two certificate authorities do not match, communication between the NetBackup Administration Console and the NetBackup Web Management Console service (nbwmc service) fails.

To enroll an external certificate for a clustered primary server

  1. Update the NetBackup configuration file that is present on the shared disk (nbcl.conf) with the external certificate configuration options.

    See Configuration options for external CA-signed certificates for a virtual name.

    Use the nbsetconfig command to configure the following options:

    • CLUSTER_ECA_CERT_PATH

    • CLUSTER_ECA_TRUST_STORE_PATH

    • CLUSTER_ECA_PRIVATE_KEY_PATH

    • CLUSTER_ECA_KEY_PASSPHRASEFILE (optional)

    You need to configure the certificate revocation list (CRL) configuration options for each node.

    See About certificate revocation lists for external CA.

  2. Run the following command on the primary server:

    nbcertcmd -enrollCertificate -cluster

    The enrolled certificate is used for communication between the active node and the primary server domain that is listed in the SERVER configuration option on the host.

    For more details on the command, refer to the NetBackup Commands Reference Guide.

  3. Configure an external certificate on each cluster node.

    See Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation.

Feedback

Was this page helpful?
Previous

CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered primary server

Next

Regenerating keys and certificates

Feedback

Was this page helpful?