Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Read this first for secure communications in NetBackup
  4. How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
NetBackup™ Security and Encryption Guide

How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation

The following diagram illustrates how NetBackup CA-signed certificates are deployed on hosts during installation:

NetBackup certificate deployment occurs in the following order:

  1. A NetBackup certificate is automatically deployed on the NetBackup primary server during installation. The primary server is the NetBackup CA.

  2. A NetBackup certificate is deployed on Host 1 during installation after confirming the CA fingerprint that is made available by the installation wizard or the script.

    An authorization token is not required because the certificate deployment security level on the primary server is set to High and Host 1 is known to the primary server.

    Note:

    A fingerprint is used to authenticate the CA of the primary server before it is added to the trust store of a host. The primary server administrator communicates the CA fingerprint to the host administrators by email or file, or publishes it on a website.

    Note:

    An authorization token is used as a mechanism to authorize a host's certificate request that is sent to the NetBackup primary server. An authorization token is confidential and only the primary server administrator can create it. The primary server administrator then passes it on to the administrator of the host where you want to deploy a certificate. A reissue token is a special authorization token that is used to redeploy a certificate on a host to which a certificate was previously issued.

    If you continued with the NetBackup installation without confirming the primary server fingerprint, you need to carry out manual steps before backups and restores can occur.

    https://support.cohesity.com/s/article/article-100039650

  3. A NetBackup certificate is deployed on Host 2 during installation after the primary server fingerprint is confirmed. An authorization token is required, because the certificate deployment security level on the primary server is set to High and Host 2 is not known to the primary server.

The host-ID based certificate is generated using the encrypted private key for all the hosts.

The private key of the NetBackup certificate is stored in an encrypted format using AES_256_CBC encryption. The password that is used to encrypt the private keys is stored in file storage and is encrypted using AES_256_GCM encryption.

The form factors of NetBackup such as NetBackup Appliance, NetBackup Flex, NetBackup Flex Scale, NetBackup Scale Out are fully secured on on-disk using the host-ID based certificate. ITA Data Collector 11.4.03 enables the consumption of the encrypted private keys. The ITA Data Collector must be 11.4.03 or later if the collection method is set to the Data Collector installed on NetBackup Primary Server option for successful data collections from NetBackup 10.4.1 primary server.

Older versions of ITA Data Collector are able to collect data if the collection method is SSH or WMI protocol to communicate with NetBackup primary server.

Feedback

Was this page helpful?
Previous

About secure communication in NetBackup

Next

How secure communication works with primary server cluster nodes

Feedback

Was this page helpful?