About the host ID-based certificate revocation list
The NetBackup certificate revocation list (CRL) is a list of host ID-based digital security certificates that have been revoked before their expiration date. The hosts that own revoked certificates should no longer be trusted.
The NetBackup certificate revocation list conforms to the Certificate Revocation List profile that the Internet Engineering Task Force publishes in RFC 5280 at https://www.ietf.org. The NetBackup certificate authority signs the CRL. The NetBackup primary server is the certificate authority. The CRL is public and does not require secure transmission. The CRL endpoint is open, free for anyone to access.
Every NetBackup host must have a valid security certificate and a valid CRL so that it can communicate with other NetBackup hosts.
The NetBackup primary server generates a new CRL as follows:
On startup.
Sixty minutes since the CRL was last generated.
NetBackup checks every 5 minutes for a newly revoked certificate. It can take NetBackup up to 5 minutes to update the web server after a certificate is revoked.
A CRL expires after 7 days.
A NetBackup host obtains a CRL when NetBackup is installed on the host. A NetBackup host also obtains a fresh CRL during an upgrade of the NetBackup software.
After installation or upgrade, each host requests a new CRL on a time interval since the host was started. (NetBackup uses a pull method to refresh host CRLs.) The NetBackup primary server certificate deployment security level determines the time interval, as shown in the following table.
Table: CRL refresh interval
Security level | CRL refresh interval |
|---|---|
Hourly | |
4 hours | |
8 hours |
See About NetBackup certificate deployment security levels.
You can get a new CRL before its scheduled refresh period.
See Refreshing the CRL on the primary server.
See Refreshing the CRL on a NetBackup host.