Limitations of Windows Certificate Store support when NetBackup services are running in Local Service account context
When NetBackup services are running in Local Service account context, the services need to have read access to the private key. NetBackup updates permissions of the private key during certificate enrollment so that NetBackup services have read access to the private key.
To set the permissions the Cryptographic Service Provider (CSP) or Key Storage Provider (KSP) of the certificate being used must support security descriptors.
To know if the security descriptors are supported by the provider, run the following command:
nbcertcmd -ecaHealthCheck -serviceUser LocalService
Refer to the NetBackup Commands Reference Guide for more details on the command-line options.
If security descriptors are not supported by the provider, you need to use a provider that supports security descriptors or use an administrator account to run NetBackup services.
To change your provider, you need to re-deploy your certificate. Provider cannot be changed once the certificate is deployed. Providers that support security descriptors: Microsoft Software Key Storage Provider, Microsoft Enhanced Cryptographic Provider v1.0, Microsoft Enhanced RSA and AES Cryptographic Provider, Microsoft Strong Cryptographic Provider and so on.
If you have PFX file, you can re-import it to change your provider.
- Remove certificate and private key from Windows Certificate Store.
- Import the
pfxfile using certutil command:C:\Windows\System32\certutil.exe -importPfx -csp provider name pfxfile
For an ADCS deployed certificate, the provider can be changed from the certificate template and then deploying the certificate again.
You can also select a provider while requesting a new certificate depending on the configuration.
To use administrator account to run NetBackup services, run the following command:
nbserviceusercmd.exe -changeUser
Refer to the NetBackup Commands Reference Guide for more details on the command-line options.