Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. Migrating NetBackup CA
  11. Migrating NetBackup CA when the entire NetBackup domain is upgraded
NetBackup™ Security and Encryption Guide

Migrating NetBackup CA when the entire NetBackup domain is upgraded

With NetBackup 8.3 upgrade, by default a new root CA with 2048 bits key strength is deployed and the CA migration process is automatically initiated. You can also set the NB_KEYSIZE environment variable to a value larger than 2048 bits before installation or upgrade.

See Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable.

Note:

If you have media servers earlier than NetBackup 8.2 that are configured as cloud storage servers, the CA migration process is not initiated. Ensure that all NetBackup hosts are upgraded to 8.3 or later for successful host communication.

When all hosts in your NetBackup domain are upgraded to NetBackup 8.3 or later, use the following procedure to complete the CA migration process:

To migrate NetBackup CA when all hosts are upgraded to NetBackup 8.3

  1. Run the following command to ensure that all hosts have the new CA certificates in their trust stores.

    nbseccmd -nbcaMigrate -hostsPendingTrustPropagation

  2. Ensure that the command returns zero (0) hosts as the output.

    For information about commands, see the NetBackup Commands Reference Guide.

  3. Warning:

    If one or more NetBackup hosts are at 8.2 or earlier versions, backups of such hosts fail after activation. Therefore, you must ensure that all NetBackup hosts in the domain are upgraded to 8.3 before activating the new CA.

    Run the following command to activate the new CA that can start issuing NetBackup certificates going forward:

    nbseccmd -nbcaMigrate -activateNewCA

  4. Run the following command to ensure that all hosts have certificates that the new CA has renewed:

    nbseccmd -nbcaMigrate -hostsPendingRenewal

    Ensure that the command returns zero (0) hosts as the output.

  5. Restart the NetBackup Messaging Broker (nbmqbroker) service on this host.
  6. Run the following command to complete the CA migration process:

    nbseccmd -nbcaMigrate -completeMigration

  7. After completing the NetBackup CA migration process and ensuring that the hosts use certificates that the new CA has issued, you can safely decommission the old NetBackup CA.

    This clean-up task is optional.

    See Decommissioning the inactive NetBackup CA .

Feedback

Was this page helpful?
Previous

Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable

Next

Manually migrating NetBackup CA after installation or upgrade

Feedback

Was this page helpful?