Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters
  3. Section I. Configurations
  4. Configurations
  5. Configuring an External Certificate Authority for Web UI port 443
Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters

Configuring an External Certificate Authority for Web UI port 443

During Cloud Scale installation, a Cloud Scale environment is configured to use a certificate issued by the NetBackup Certificate Authority for Web UI (port 443). The following sections provide the steps to replace the default certificate with an External Certificate Authority (ECA) on Cloud Scale.

Prerequisites

Ensure that all the following files are available and ready before proceeding:

  • ca.pem: A PEM-formatted file, containing the Root CA certificate from which the Web UI certificate was issued.

  • cert.pem: A PEM-formatted file, that includes the Web UI certificate chain, consisting of the leaf certificate and any intermediate CA certificates.

  • privatekey.pem: PKCS #8 PEM-formatted file, containing the encrypted private key for the Web UI certificate.

  • passphrase.txt,: A plaintext file, containing the passphrase used to encrypt the private key. Ensure that the plaintext file contains only a single line with the passphrase and does not end with a new line.

Basic sanity verification for ca.pem, cert.pem, privatekey.pem and passphrase.txt, files:

  1. Execute the following commands and ensure that the output of both the commands result in a matching value for cert.pem and privatekey.pem files:

    $ openssl x509 -noout -modulus -in cert.pem | openssl sha256

    $ openssl rsa -noout -modulus -in privatekey.pem -passin file:passphrase.txt | openssl sha256

  2. Check the validity of the certificate and presence of the primary server name in the certificate by executing the following command to list the certificate details:

    $ openssl x509 -text -in cert.pem -noout

    Verify the Not Before and Not After fields display the certificate is valid and has not expired. Confirm that the primary server name appears in the X509v3 Subject Alternative Name. If X509v3 Subject Alternative Name is missing, then confirm that the primary server name appears in the Subject as a CN.

  3. Execute the following command to verify that a complete certificate chain exists in cert.pem and ca.pem files:

    $ openssl verify -CAfile ca.pem -untrusted cert.pem cert.pem

    cert.pem: OK

Configuring an external certificate

Perform the steps described in the following procedure to configure external certificate for the first time.

Configure an external certificate for the first time

  1. Log in to the host where the Kubernetes cluster is managed and has the kubectl command.
  2. Execute the following commands to create the tpcredentials directory and copy the artifacts into the primary pod:

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl cp <path_to_ca.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem -n <namespace>

    $ kubectl cp <path_to_cert.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -n <namespace>

    $ kubectl cp <path_to_privatekey.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -n <namespace>

    $ kubectl cp <path_to_passphrase.txt> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -n <namespace>

  3. Execute the following commands to ensure the directory and files are created with correct ownership. Ensure that the owner has full permissions on the directory and files.

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- chown -R nbwebsvc:nbwebgrp /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod u+rwx /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod -R u+rw /usr/openv/var/global/wsl/credentials/tpcredentials

  4. Restart the nbwsapp pod.

    Use the following commands to list all the pods from the namespace, then select the nbwsapp pod and delete it.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <nbwsapp_pod_name> -n <namespace>

  5. Use the following command to ensure that the nbwsapp pod is up and running:

    $ kubectl get pods -n <namespace> | grep nbwsapp

    <nbwsapp_pod_name>                        4/4     Running   0          9m44s
  6. Execute the following commands to create the keystore:

    $ kubectl exec -it <nbwsapp_pod_name> -n <namespace> -- bash

    $ cp /usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey

    $ /usr/openv/netbackup/bin/goodies/vxsslcmd pkcs12 -export -inkey /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -in /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -out /tmp/cert.p12 -passin file:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -passout file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey -name eca

    Note:

    Ignore the following error message if displayed by the last command above:

    unable to write 'random state'

    $ ls -l /tmp/cert.p12

    -rw-r--r-- 1 nbwebsvc nbwebgrp   4420 Sep 20 19:44 cert.p12

    $ export KEYSTORE_PASS=$(cat /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey)

    $ /usr/lib/jvm/jre/bin/keytool -storetype BCFKS -providerpath /usr/openv/wmc/webserver/lib/ccj.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importkeystore -srckeystore /tmp/cert.p12 -srcstoretype pkcs12 -srcstorepass ${KEYSTORE_PASS} -destkeystore /tmp/nbwebservice.bcfks -deststorepass ${KEYSTORE_PASS}

    Importing keystore /tmp/cert.p12 to /tmp/nbwebservice.bcfks...
    Entry for alias eca successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

    $ mv /tmp/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/

    keytool -storetype BCFKS -providerpath /usr/openv/wmc/webserver/lib/ccj.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importcert -alias ca -file /usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem -keystore /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks -srcstorepass ${KEYSTORE_PASS} -deststorepass ${KEYSTORE_PASS}

  7. The new certificate will be automatically applied within 30 minutes, or you can restart the requestrouter pod to apply it immediately by using the following commands:

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Renewal or replacement of external certificate

Use the following steps to replace the existing external certificate with a new external certificate:

  1. Log in to the host where the Kubernetes cluster is managed and has the kubectl command.

  2. Execute the following commands to copy the new artifacts into the primary pod:

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl cp <path_to_ca.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem -n <namespace>

    $ kubectl cp <path_to_cert.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -n <namespace>

    $ kubectl cp <path_to_privatekey.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -n <namespace>

    $ kubectl cp <path_to_passphrase.txt> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -n <namespace>

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials/backup

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mv /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/backup/

  3. Execute the below commands to ensure the directory and files are created with correct ownership. Ensure that the owner has full permission on the directory and files.

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- chown -R nbwebsvc:nbwebgrp /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod u+rwx /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod -R u+rw /usr/openv/var/global/wsl/credentials/tpcredentials

  4. Restart the nbwsapp pod.

    List all the pods from the namespace, select the nbwsapp pod and delete it.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <nbwsapp_pod_name> -n <namespace>

  5. Ensure that nbwsapp pod is up and running:

    $ kubectl get pods -n <namespace> | grep nbwsapp

    <nbwsapp_pod_name>                        4/4     Running   0          9m44s
    
  6. Execute the following commands to create the keystore:

    $ kubectl exec -it <nbwsapp_pod_name> -n <namespace> -- bash

    $ chmod 2750 /usr/openv/var/global/wsl/credentials/tpcredentials/backup/

    $ /usr/openv/netbackup/bin/goodies/vxsslcmd pkcs12 -export -inkey /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -in /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -out /tmp/cert.p12 -passin file:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -passout file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey -name eca

    Note:

    Ignore the following message from last command if it is seen:

    unable to write 'random state'

    $ ls -l /tmp/cert.p12

    -rw-r--r-- 1 nbwebsvc nbwebgrp   4420 Sep 20 19:44 cert.p12

    $ export KEYSTORE_PASS=$(cat /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey)

    $ /usr/lib/jvm/jre/bin/keytool -storetype BCFKS -providerpath /usr/openv/wmc/webserver/lib/ccj.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importkeystore -srckeystore /tmp/cert.p12 -srcstoretype pkcs12 -srcstorepass ${KEYSTORE_PASS} -destkeystore /tmp/nbwebservice.bcfks -deststorepass ${KEYSTORE_PASS}

    Importing keystore /tmp/cert.p12 to /tmp/nbwebservice.bcfks...
    Entry for alias eca successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

    $ mv /tmp/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/

  7. The new certificate will be automatically applied within 30 minutes, or you can restart the requestrouter pod to apply it immediately.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Removing the external certificate

Perform the following steps to remove the external certificate for the Web UI (port 443) and replace it with the NetBackup Certificate Authority issued certificate:

  1. Log in to the host where the Kubernetes cluster is managed and has the kubectl command.

  2. Execute the following commands to remove the ECAs:

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -rf /usr/openv/var/global/wsl/credentials/tpcredentials

  3. Restart the requestrouter pod.

    List all of the pods from the namespace, select the requestrouter pod and delete it.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Note:

No certificate configuration is required after completing a disaster recovery of the Cloud Scale environment, as the process automatically restores external certificates.

Feedback

Was this page helpful?
Previous

Configuring the cloudscale-values.yaml file

Next

Loading docker images

Feedback

Was this page helpful?