Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup and NetBackup Appliances Hardening Guide
  3. Steps to protect Access Appliance
  4. About system certificates on Access Appliance
  5. Deploying ECA using the GUI
NetBackup and NetBackup Appliances Hardening Guide

Deploying ECA using the GUI

You can perform all external certificates-related operations from the Settings > Security management > Certificates tab.

  • Switch to external certificate

    • Once the external certificates are deployed, user can switch in between internal and external certificates.

    • After the external certificates are deployed, the Switch to appliance certificates option is enabled. The web server is restarted after certificates are switched.

    • Internal certificates or appliance certificates are the Access Appliance CA certificates which are deployed during the initial configuration.

  • Upload certificate

    • An ECA that is certified to work with CA bundle and an optional certificate revocation list (CRL) is required for the Access Appliance cluster components to use an external certificate.

    • All the artifacts must be deployed in tandem for the first time. This includes external certificate, CA bundle, and CRL.

    • CRL is optional. It may be provided as a file or embedded in certificate as a URL.

    • If using your own certificate, include the certificate and provide a key. Keep the private key unencrypted.

    • Once deployed all the Access Appliance components - web server and S3 services use the external certificates.

    • The web server and S3 server are restarted after deployment of certificate artifacts is successful.

  • View certificate request

    • You can view the generated certificate request and verify the subject distinguished names and subject alternative names.

    • You can also copy the generated certificate request and get the CA certificate from it.

  • Generate certificate request

    • You must provide a proper subject distinguished name and subject to generate correct external certificate that can be used in Access Appliance cluster.

    • You can use the GUI wizard to generate a proper request for the cluster. The wizard auto populates necessary IP/FQDN to generate correct request.

To deploy ECA using the GUI

  1. Go to the Settings > Security Management > Certificates tab.
  2. Click Generate certificate request and fill out the form. The SAN field is filled with default SAN entries that are mandatory for the configuration. For standard default configuration, it has the FQDN entries for all the storage servers, console IP and API gateway FQDN.
  3. Click Generate to generate a certificate request.
  4. Click Copy to copy the certificate request. This has to be given to a CA signing authority who uses this to generate a certificate. CA signing authority provides a certificate along with the root certificate and intermediate certificate used to generate the certificate. Authority may also provide a CRL file .
  5. You also have an option to upload a private key. If you want to use your own certificate, include the certificate and provide a key. Ensure that the private key is unencrypted.
  6. Go to Certificates > Upload certificate to upload the certificate artifacts. For a fresh deployment, both the certificate and CA certificate bundle are mandatory. CRL is optional. For renewal, any one of the three are required.
  7. After the certificate is uploaded, Save gets enabled. Click Save. The deployment is initiated.

    After deployment is successfully completed for all components, the GUI restarts with the uploaded external certificate.

You can verify the browser certificate from the GUI to verify that it is the same one that was used during deployment.

Feedback

Was this page helpful?
Previous

About external certificates on Access Appliance

Next

Log locations

Feedback

Was this page helpful?