Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. Migrating NetBackup CA
  11. Manually migrating NetBackup CA after installation or upgrade
NetBackup™ Security and Encryption Guide

Manually migrating NetBackup CA after installation or upgrade

With fresh NetBackup installation or upgrade, by default a new root CA with 2048-bits key strength is deployed. However, if you want to use a CA with a different key size or move to a new CA after installation or upgrade, you should manually initiate the CA migration process.

See Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable.

To migrate NetBackup CA after installation or upgrade

  1. Run the following command to initiate the CA migration process:

    nbseccmd -nbcaMigrate -initiateMigration -keysize key_value

    A new NetBackup CA is deployed with this command.

    For information about commands, see the NetBackup Commands Reference Guide.

  2. Run the following command to reissue certificates to the host.

    nbcertcmd -reissueCertificates

  3. Stop the NetBackup Web Management Console (nbwmc) service before reissuing the certificate to the NetBackup web server.
  4. Run the following command to reissue the certificate to the NetBackup web server:

    configureCerts -renew_webserver_keys

  5. Start the nbwmc service.
  6. Run the following command to ensure that all hosts have the new CA certificates in their trust stores.

    nbseccmd -nbcaMigrate -hostsPendingTrustPropagation

  7. Ensure that the command returns zero (0) hosts as the output.

  8. Warning:

    If one or more NetBackup hosts are at 8.2 or earlier versions, backups of such hosts fail after activation. Therefore, you must ensure that all NetBackup hosts in the domain are upgraded to 8.3 before activating the new CA.

    Run the following command to activate the new CA that can start issuing NetBackup certificates going forward:

    nbseccmd -nbcaMigrate -activateNewCA

  9. Run the following command to renew host certificates using the new CA.

    nbcertcmd -renewCertificate

  10. Run the following command to ensure that all hosts have certificates that the new CA has renewed:

    nbseccmd -nbcaMigrate -hostsPendingRenewal

    Ensure that the command returns zero (0) hosts as the output.

  11. Restart the NetBackup Messaging Broker (nbmqbroker) service on this host.
  12. Run the following command to complete the CA migration process:

    nbseccmd -nbcaMigrate -completeMigration

  13. After completing the NetBackup CA migration process and ensuring that the hosts use certificates that the new CA has issued, you can safely decommission the old NetBackup CA.

    This clean-up task is optional.

    See Decommissioning the inactive NetBackup CA .

Feedback

Was this page helpful?
Previous

Migrating NetBackup CA when the entire NetBackup domain is upgraded

Next

Establishing communication with clients that do not have new CA certificates after CA migration

Feedback

Was this page helpful?