Configuring rotation of external CA-issued certificates for host communication
Rotation of external CA-signed certificates can now be configured using the NetBackup web UI and APIs.
This operation can be performed by a security administrator or a user with appropriate RBAC permissions. It is used to rotate external CA-issued certificates for BYO, Flex (including WORM containers), NetBackup Appliance, NetBackup Snapshot Manager hosts, and clustered primary server setups.
The operation is audited.
ECA - External certificate authority
Certificate artifacts - refers to a set of certificates and associated information that is required for secure communication. Certificate artifacts include:
Certificate chain
Private key
Trust store
Passphrase
CRL check level (default : LEAF)
External CA-issued certificate rotation is not supported for NetBackup Cloud Scale and NetBackup Flex Scale.
If a host is configured to use Windows Certificate Store, it starts using file-based certificates after certificate renewal.
It is advised that certificate rotation should be performed only under maintenance mode. Else, backup or restore jobs may fail.
Migration from NetBackup CA to external CA is not supported using these APIs.
You should ensure that external certificates are already enrolled on the host before you configure certificate rotation.
To rotate external certificates using web UI or APIs for a particular host, it must have already enrolled valid external certificate.
The new certificate should have the same subject name as that of what is configured on the host. Except, when the setting externalCertificateIdentityField in enabled, in which case the subject name can be different but common name has to be the same.
Only CDP is supported as a CRL check for the certificate.
If CRL check level is not DISABLE, upload of external certificate artifacts will fail in case CRL is not accessible from the primary server.
In case the CRLs are not accessible on the host, the host might not be able to connect to the primary after upload of external certificate artifacts , and the rotation of certificates might get stuck in an intermediate state.
CRL check level should be disabled if the certificate does not have a valid CDP URL, or it is not accessible by the host or the primary server.
The certificate chain size should be less than 40 KB. Else, the rotation process may fail during validation.
Using the NetBackup web UI, you can upload certificate artifacts for a host. The rotation process is triggered when the client host uses the loginwithcert function every 24 hours. This triggers a chain of processes on the host as follows:
Downloading the certificate artifacts by the client
Performing validation of artifacts in a dry run with the primary server
Moving the files to the final location
Updating the configuration
As for the server, it retains these artifacts for 30 days. They are deleted earlier that 30 days if they are successfully downloaded and applied on the client host.
When the renewal process is complete, the certificates are automatically cleaned up. If a host does not connect to the primary server for 30 days, the artifacts for such host are cleaned up from the primary server.
You can check the current state of the certificate rotation process that is available in the External certificates tab, as part of the new Renewal status column.
See View certificate renewal status for a host.
Flex deployments only support certificate artifacts in PEM X509 format.
The upload option is not allowed for back-level hosts, and hosts that don't have ECA configured.
If the domain is in FIPS mode, ensure that the FIPS compliance is in place, for example certificate formats and key sizes are compliant.
The certificate artifacts are stored in the CMS on the server. After they are downloaded, they are stored at the following location:
For a clustered primary server host (virtual):
CA certificate path - Install_Path/var/global/vxss/
Certificate chain, private key, passphrase path - Install_Path/var/global/vxss/credentials/ecaartifacts/
For other hosts (including nodes of clustered primary server):
CA certificate path - Install_Path/var/vxss/
Certificate chain, private key, passphrase path - Install_Path/var/vxss/credentials/ecaartifacts/