How a host's CRL affects certificate revocation troubleshooting
Each NetBackup host obtains a fresh certificate revocation list periodically. When a host's certificate revocation list is up-to-date, job failure messages and status codes are accurate and dependable. Likewise, NetBackup audit messages are accurate and dependable.
However, if the CRL is not up-to-date, job failures may appear as network errors. You may need to examine more than the NetBackup job details and command output to isolate the error.
Each NetBackup host learns about new certificate revocations only when its CRL is refreshed.
The CRL on the primary server is generated every 60 minutes or within 5 minutes of a revocation. Conversely, the interval at which other NetBackup hosts request a new CRL from the primary server may be longer.
The Security level for certificate deployment setting determines the CRL refresh interval for all NetBackup hosts. Although all NetBackup hosts update their CRLs on the same time interval, when each host requests a new CRL varies.
Verify the global security settings. To verify these settings open the NetBackup web UI. At the top right, click .
If a NetBackup host is configured to use CRLs from the path that is specified for the ECA_CRL_PATH configuration option, CRLs are refreshed as per ECA_CRL_PATH_SYNC_HOURS.
If the NetBackup host is configured to download CRLs from CDPs, CRLs are refreshed as per ECA_CRL_REFRESH_HOURS.
For more information about external certificate configuration options for CRLs and the global security settings, see the NetBackup Security and Encryption Guide.