Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters
  3. Section III. Monitoring and Management
  4. Managing PostrgreSQL DBaaS
  5. Updating database certificate in DBaaS
Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters

Updating database certificate in DBaaS

Create Secret containing DBaaS CA certificates. NetBackup version 10.4 and later stores db cert in db-cert configMap instead of KeyVault/SecretsManager secret. The db-cert configMap is created by trust manager.

Note the following:

  • Skip the steps in this section when using containerized Postgres.

  • The steps in this section are only required for upgrading from 10.4 and 10.4.0.1 (non-decoupled services) to 10.5 and above (decoupled services).

  • Upgrade from embedded to DBaaS is not supported.

  1. Perform the following to create Secret containing DBaaS CA certificates:

    • AKS-specific:

      DIGICERT_ROOT_CA='/tmp/root_ca.pem'
      DIGICERT_ROOT_G2='/tmp/root_g2.pem'
      MS_ROOT_CRT='/tmp/ms_root.crt'
      COMBINED_CRT_PEM='/tmp/tls.crt'
        
      DIGICERT_ROOT_CA_URL="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem";
      DIGICERT_ROOT_G2_URL="https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem";
      MS_ROOT_CRT_URL="http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt";
        
      curl ${DIGICERT_ROOT_CA_URL} --output ${DIGICERT_ROOT_CA}
      curl ${DIGICERT_ROOT_G2_URL} --output ${DIGICERT_ROOT_G2}
      curl ${MS_ROOT_CRT_URL} --output ${MS_ROOT_CRT}
        
      openssl x509 -inform DER -in ${MS_ROOT_CRT} -out ${COMBINED_CRT_PEM} -outform PEM
      cat ${DIGICERT_ROOT_CA} ${DIGICERT_ROOT_G2} >> ${COMBINED_CRT_PEM}
       
      kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${COMBINED_CRT_PEM}
    • EKS-specific:

      TLS_FILE_NAME='/tmp/tls.crt'
      PROXY_FILE_NAME='/tmp/proxy.pem'
       
      rm -f ${TLS_FILE_NAME} ${PROXY_FILE_NAME}
       
      DB_CERT_URL="https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"
      DB_PROXY_CERT_URL="https://www.amazontrust.com/repository/AmazonRootCA1.pem"
       
      curl ${DB_CERT_URL} --output ${TLS_FILE_NAME}
      curl ${DB_PROXY_CERT_URL} --output ${PROXY_FILE_NAME}
       
      cat ${PROXY_FILE_NAME} >> ${TLS_FILE_NAME}
       
      kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${TLS_FILE_NAME}
  2. Restart the primary pod using the following command:

    kubectl rollout restart "statefulset/${PRIMARY}" --namespace "${NAMESPACE}"

Feedback

Was this page helpful?
Previous

Changing database server password in DBaaS

Next

Managing logging

Feedback

Was this page helpful?