Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. External CA and external certificates
  9. About certificate revocation lists for external CA
NetBackup™ Security and Encryption Guide

About certificate revocation lists for external CA

Certificate revocation list (CRL) for an external certificate authority (CA) contains a list of digital certificates that the external CA has revoked before the scheduled expiration date and should no longer be trusted.

NetBackup supports PEM and DER formats for CRLs for external CA.

CRLs for all CRL issuers or external CAs are stored in the NetBackup CRL cache that resides on each host.

During secure communication, each NetBackup host verifies the revocation status of the peer host's external certificate with the CRL that is available in the NetBackup CRL cache, based on the ECA_CRL_CHECK configuration option.

See ECA_CRL_CHECK for NetBackup servers and clients.

The NetBackup CRL cache is updated with the required CRLs using one of the following CRL sources:

ECA_CRL_PATH configuration option

A NetBackup configuration option (from bp.conf file on UNIX or Windows registry) that specifies the directory path where the CRLs exist.

See ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients.

See How CRLs from ECA_CRL_PATH are used.

CRL distribution point (CDP)

If you have not specified ECA_CRL_PATH, NetBackup downloads the CRLs from the URLs that are specified in the peer host certificate's CDP and caches them in the NetBackup CRL cache.

See How CRLs from CDP URLs are used.

NetBackup supports downloading CRLs from HTTP and HTTPS URLs that are specified in CDP.

The NetBackup CRL cache contains only the latest copy of a CRL for each CA (including root and intermediate CAs).

The bpclntcmd -crl_download service updates the CRL cache during host communication in the following scenarios irrespective of the time interval set for the ECA_CRL_PATH_SYNC_HOURS or ECA_CRL_REFRESH_HOURS options:

  • When CRLs in the CRL cache are expired

  • If CRLs are available in the CRL source (ECA_CRL_PATH or CDP), but they are missing from the CRL cache

Note:

Once the bpclntcmd -crl_download service updates the CRLs in the CRL cache, it does not download the CRLs for the same CA for the next 15 min even though a valid download scenario has occurred. If you want to update the CRL within 15 min, terminate the bpclntcmd -crl_download service.

Feedback

Was this page helpful?
Previous

Limitations of Windows Certificate Store support when NetBackup services are running in Local Service account context

Next

How CRLs from ECA_CRL_PATH are used

Feedback

Was this page helpful?