Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. External CA and external certificates
  9. Configuration options for external CA-signed certificates
  11. MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
NetBackup™ Security and Encryption Guide

MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers

The MANAGE_WIN_CERT_STORE_PRIVATE_KEY option lets you disable the automatic permission management of the private key of the certificate in Windows Certificate Store.

This option is applicable for Windows Certificate Store and only when the NetBackup services are running in the Local Service account context.

When NetBackup services are running in the Local Service account context, the services need to have permissions to read the private key for certificate in Windows Certificate Store.

When the MANAGE_WIN_CERT_STORE_PRIVATE_KEY option is set to Automatic, the NetBackup service that is running in the privileged user account context grants access to all other NetBackup services for reading the private key whenever required.

See Limitations of Windows Certificate Store support when NetBackup services are running in Local Service account context.

By default, permissions for the private key are automatically managed. When the MANAGE_WIN_CERT_STORE_PRIVATE_KEY option is set to Disabled, the permissions of the private key need to be managed manually.

Note:

It is not recommended to set the MANAGE_WIN_CERT_STORE_PRIVATE_KEY option to Disabled.

To manually update the permissions when this option is Disabled, run the following command:

nbcertcmd -setWinCertPrivKeyPermissions -reason audit reason -force

Refer to the NetBackup Commands Reference Guide for more details on the command-line options.

Table: MANAGE_WIN_CERT_STORE_PRIVATE_KEY information

Usage

Description

Where to use

On NetBackup primary server.

How to use

Use the nbgetconfig and the nbsetconfig commands to view, add, or change the option.

For information about these commands, see the NetBackup Commands Reference Guide.

Use the following format:

MANAGE_WIN_CERT_STORE_PRIVATE_KEY = Automatic

Equivalent Administration Console property

No equivalent exists in the NetBackup Administration Console host properties.

Feedback

Was this page helpful?
Previous

ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients

Next

Limitations of Windows Certificate Store support when NetBackup services are running in Local Service account context

Feedback

Was this page helpful?