Revoking a host ID-based certificate
NetBackup administrators may consider revoking a host ID-based certificate under various conditions. For example, if the administrator detects that client security has been compromised, if a client is decommissioned, or if NetBackup is uninstalled from the host. A revoked certificate cannot be used to communicate with primary server web services.
See About revoking host ID-based certificates.
Security best practices suggest that the administrator explicitly revoke the certificates for any host that is no longer active, regardless of whether the certificate is still deployed on the host, or whether it has been successfully removed from the host.
Note:
Do not revoke a certificate of the primary server. If you do, NetBackup operations may cease.
To revoke a host ID-based certificate using the NetBackup Administration web UI
- On the left pane, select Security > Certificates.
- On the NetBackup certificates tab, select the certificate to be revoked.
- Select Revoke Certificate.
- Select a reason from the drop-down list and click Yes.
After you revoke a host's certificate, do the following actions in NetBackup:
Remove the host from backup policies.
For a NetBackup media server, deactivate it.
To revoke a host ID-based certificate using the command line
- The primary server administrator must be logged in to the NetBackup Web Management Service to perform this task. Use the following command to log in:
bpnbat -login -logintype WEB
- Run one of the following commands to revoke the certificate using the host name or the host ID.
Revoke using the host name:
nbcertcmd -revokeCertificate -host host_name
Note:
You must provide the primary name of the host for which you want to revoke the certificate. If you provide any of the host ID-to-host name mappings that are added for the host, the certificate cannot be revoked.
Revoke using the host ID:
nbcertcmd -revokeCertificate -hostID host_id
Additional parameters can be used to indicate a revocation reason code and the primary server.
After you revoke a host's certificate, do the following actions in NetBackup:
Remove the host from backup policies.
For a NetBackup media server, deactivate it.
Note:
Revoking a certificate does not delete the certificate from the local store of the non-primary host.