Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. External CA and external certificates
  9. Disabling the NetBackup CA in a NetBackup domain
NetBackup™ Security and Encryption Guide

Disabling the NetBackup CA in a NetBackup domain

Use this section to disable the existing NetBackup CA support from your domain when all the hosts in your domain are configured to use external certificates for host communication.

Note:

If you have NAT clients in your environment and the NetBackup Messaging Broker (nbmqbroker) service is enabled, you may need to restart the service after you disable the NetBackup CA to use external certificates only.

For more information about NAT support in NetBackup, refer to the NetBackup Administrator's Guide, Volume I.

If you have hosts that can communicate securely but cannot be configured to use external certificates (NetBackup 8.1, 8.1.1, or 8.1.2), you should not disable NetBackup CA configuration to avoid communication failure.

To disable NetBackup CA support in your domain

  1. Ensure that all the hosts in your domain are configured to use external certificates.

    See Configuring an external certificate for the NetBackup web server.

    See Configuring the primary server to use an external CA-signed certificate.

    See Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation.

  2. After each host in the domain is configured to use external certificates, remove the NetBackup CA support from each host (media servers and clients) in the domain.

    Run the following commands on each host in the given order:

    • nbcertcmd -removeCACertificate -fingerPrint NetBackup CA certificate fingerprint

    • nbcertcmd -deleteCertificate -hostid host ID of the host

  3. Remove the NetBackup CA support from the primary server.

    Run the following commands on the primary server in the given order:

    • nbcertcmd -removeCACertificate -fingerPrint NetBackup CA certificate fingerprint

    • nbcertcmd -deleteCertificate -hostid host ID of the primary server

  4. Revoke all host ID-based certificates in the domain. This is an optional step.

    See Revoking a host ID-based certificate.

  5. Remove the NetBackup CA support from the web server. Ensure that you do not need the NetBackup certificates for host communication.

    Run the following command on the web server:

    configureWebServerCerts -removeNBCert

    For more information about the commands, refer to the NetBackup Commands Reference Guide.

  6. Restart the NetBackup Web Management Console (nbwmc) service.

Feedback

Was this page helpful?
Previous

Removing certificate enrollment

Next

Enabling the NetBackup CA in a NetBackup domain

Feedback

Was this page helpful?