Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. External CA and external certificates
  9. About certificate revocation lists for external CA
  11. How CRLs from ECA_CRL_PATH are used
NetBackup™ Security and Encryption Guide

How CRLs from ECA_CRL_PATH are used

Use this section if you want to use ECA_CRL_PATH as the CRL source for the NetBackup CRL cache.

To use CRLs from ECA_CRL_PATH

  1. Ensure that the CRLs for external CAs are stored in a directory and the directory path is accessible by the host.

    If you have a Flex Appliance application instance, the files must be stored in the following directory on the instance: /mnt/nbdata/hostcert/crl

    You can specify the CRL details that are required for external CA configuration during NetBackup installation or upgrade on the host.

    Select one of the following certificate revocation list (CRL) options during installation or upgrade:

    • Use the CRL defined in the certificate - No additional information is required.

    • Use the CRL at the following path - You are prompted to provide a path to the CRL.

      If you choose to use the Do not use a CRL option, peer host's certificate is not verified with the CRL during host communication.

    For more information, refer to the NetBackup Installation Guide.

  2. Specify the CRL directory path for the ECA_CRL_PATH configuration option.
  3. Ensure that the ECA_CRL_CHECK configuration option is set to a value other than DISABLE.

    During host communication, the revocation status of the external certificate is verified with the CRL in the NetBackup CRL cache that contains the CRLs from ECA_CRL_PATH.

    By default, CRLs from the cache are updated every one hour. To change the time interval, set the ECA_CRL_PATH_SYNC_HOURS option to a different value.

    To manually update the CRL cache with the ECA_CRL_PATH CRLs, run the nbcertcmd -updateCRLCache command.

    To manually delete the CRLs from the CRL cache, run the nbcertcmd -cleanupCRLCache command.

Feedback

Was this page helpful?
Previous

About certificate revocation lists for external CA

Next

How CRLs from CDP URLs are used

Feedback

Was this page helpful?