Troubleshooting issues with external CA-signed certificate revocation
The NetBackup CRL cache is updated with the required CRLs using either ECA_CRL_PATH or CDPs.
For more details, refer to the About certificate revocation lists for external CA chapter from the NetBackup Security and Encryption Guide.
The certificate revocation list is unavailable (NetBackup status code - 5982)
The NetBackup is not configured with correct CRL path or the certificate does not contain valid CDP.
The host does not have a CRL cached in the NetBackup CRL cache.
- If the ECA_CRL_PATH setting is specified in the NetBackup configuration file, ensure the following:
ECA_CRL_PATH has the correct CRL directory path
CRL directory contains CRLs for all required certificate issuers (based on the ECA_CRL_CHECK setting)
If the CDP is used (ECA_CRL_PATH is not specified)
Ensure that the certificate has at least one CDP (with HTTP/HTTPS protocol) that points to a CRL that includes revocation information for all reasons.
CDP URL is accessible.
- Ensure that the CRL is valid in the directory specified for ECA_CRL_PATH or at CDP location.
CRL is in PEM or DER format.
CRL is not expired.
CRL is not a delta CRL.
CRL's last update date is not in future.
- If the bpclntcmd -crl_download service is running, terminate it using the bpclntcmd -terminate command and retry the operation.
- Examine the required CRLs are available in the NetBackup CRL cache at the following location:
UNIX:/usr/openv/var/vxss/crl
Windows: install_path\NetBackup\var\vxss\crl
- If the issue persists, examine bpclntcmd logs at the following location:
UNIX: /usr/openv/netbackup/logs/bpclntcmd
Windows: install_path\NetBackup\logs\bpclntcmd
The NetBackup is functioning correctly even if the certificate is revoked or the NetBackup operations are failing with the error 'certificate is revoked' even if the certificate is not revoked.
The NetBackup host's CRL cache is not updated.
- Verify if the CRLs at the following location are updated:
UNIX: /usr/openv/var/vxss/crl
Windows: install_path\NetBackup\var\vxss\crl
If not, cleanup the cached CRLs for issuers in the certificate chain as per the ECA_CRL_CHECK setting.
For cleanup operation, use the nbcertcmd -cleanupCRLCache -issuerHash SHA-1_hash_of_CRL_issuer_name command.
- If the ECA_CRL_PATH setting is specified in the NetBackup configuration file, ensure that it contains the latest CRLs for all the required issuers.
- If the bpclntcmd -crl_download service is running, terminate it using the bpclntcmd -terminate command and retry the operation.