Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. Migrating NetBackup CA
NetBackup™ Security and Encryption Guide

Migrating NetBackup CA

In certain scenarios, you may need to migrate your existing NetBackup certificate authority (CA) hierarchy to a new one. NetBackup supports migrating the existing NetBackup CA. This chapter provides information on the NetBackup CA migration process.

NetBackup security certificates that are used to authenticate NetBackup hosts conform to the X.509 Public Key Infrastructure (PKI) standard. A NetBackup master server acts as the certificate authority (CA) and issues digital certificates to hosts. NetBackup uses the NetBackup authentication daemon (NBATD) as its PKI provider. NBATD and its client implementation generate the RSA private key that is used for authentication.

NetBackup now supports certificate authorities with the following key strengths: 2048 bits, 3072 bits, 4096 bits, 8192 bits, and 16384 bits.

Note:

After NetBackup master server installation or upgrade, by default a new root CA with 2048-bits key strength is deployed. With upgrade, you need to migrate the existing CA to a new CA.

Table: NetBackup CA migration procedures for various use cases

Use case

Description

When you need a NetBackup CA with a key strength other than the default one (2048 bits)

See Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable.

See Manually migrating NetBackup CA after installation or upgrade.

When you want to migrate the existing NetBackup CA after the entire NetBackup domain is upgraded to 8.3

See Migrating NetBackup CA when the entire NetBackup domain is upgraded.

The NetBackup CA migration process comprises the following phases:

  1. Initiating NetBackup CA migration

    Note:

    Run the following command:

    vssat setuptrust --broker nb_master_server_name:1556:nbatd --securitylevel high

    For information about commands, see the NetBackup Commands Reference Guide.

    The vssat command resides at the following location:

    Windows

    INSTALL_PATH\NetBackup\sec\at\bin\vssat

    UNIX

    /usr/openv/netbackup/sec/at/bin

  2. Activating the new NetBackup CA

  3. Completing NetBackup CA migration

  4. Decommissioning the old NetBackup CA

    Note:

    Decommissioning the old NetBackup CA is an optional clean-up task.

See the video NetBackup CA migration for details.

Feedback

Was this page helpful?
Previous

Adding a NetBackup host manually

Next

Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable

Feedback

Was this page helpful?