Manually migrating NetBackup CA after installation or upgrade
With fresh NetBackup installation or upgrade, by default a new root CA with 2048-bits key strength is deployed. However, if you want to use a CA with a different key size or move to a new CA after installation or upgrade, you should manually initiate the CA migration process.
To migrate NetBackup CA after installation or upgrade
- Run the following command to initiate the CA migration process:
nbseccmd -nbcaMigrate -initiateMigration -keysize key_value
A new NetBackup CA is deployed with this command.
For information about commands, see the NetBackup Commands Reference Guide.
- Run the following command to reissue certificates to the host.
nbcertcmd -reissueCertificates
- Stop the NetBackup Web Management Console (nbwmc) service before reissuing the certificate to the NetBackup web server.
- Run the following command to reissue the certificate to the NetBackup web server:
configureCerts -renew_webserver_keys
- Start the nbwmc service.
- Run the following command to ensure that all hosts have the new CA certificates in their trust stores.
nbseccmd -nbcaMigrate -hostsPendingTrustPropagation
- Ensure that the command returns zero (0) hosts as the output.
- Run the following command to activate the new CA that can start issuing NetBackup certificates going forward:
Warning:
If one or more NetBackup hosts are at 8.2 or earlier versions, backups of such hosts fail after activation. Therefore, you must ensure that all NetBackup hosts in the domain are upgraded to 8.3 before activating the new CA.
nbseccmd -nbcaMigrate -activateNewCA
- Run the following command to renew host certificates using the new CA.
nbcertcmd -renewCertificate
- Run the following command to ensure that all hosts have certificates that the new CA has renewed:
nbseccmd -nbcaMigrate -hostsPendingRenewal
Ensure that the command returns zero (0) hosts as the output.
- Restart the NetBackup Messaging Broker (nbmqbroker) service on this host.
- Run the following command to complete the CA migration process:
nbseccmd -nbcaMigrate -completeMigration
- After completing the NetBackup CA migration process and ensuring that the hosts use certificates that the new CA has issued, you can safely decommission the old NetBackup CA.
This clean-up task is optional.