Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Upgrade Guide
  5. Appendix A. Reference
  7. Previous upgrade operational notes and limitations
  9. Generate a certificate on the inactive nodes of a clustered primary server
NetBackup™ Upgrade Guide

Generate a certificate on the inactive nodes of a clustered primary server

After finishing a clustered primary server installation or upgrade, you must generate a certificate on all inactive nodes. This procedure is required for backups and restores of the inactive node of the cluster to succeed.

Generating the certificate on the inactive nodes in a clustered primary server

Note:

Unless otherwise indicated, all commands are issued from the inactive node

  1. (Conditional) Add all inactive nodes to the cluster.

    If all the nodes of the cluster are not currently part of the cluster, start by adding them to the cluster. Please consult with your operating system cluster instructions for assistance with this process.

  2. Run the nbcertcmd command to store the Certificate Authority certificate on the inactive node.

    Linux: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate

    Windows: install_path\NetBackup\bin\nbcertcmd -getCACertificate

  3. Run the nbcertcmd command to generate the host certificate on the inactive node.

    nbcertcmd -getCertificate

  4. (Conditional) If the nbcertcmd -getCertificate command fails with an error message indicating that a token is needed, you need a token from the Certificate Authority. Use the steps that are shown to get and correctly use the token.

    • On the active node, use the bpnbat command as shown to authorize the necessary changes. When you are prompted for the authentication broker, enter the virtual server name, not the local node name. 


      bpnbat -login -loginType WEB

    • On the active node, use the nbcertcmd command to create a token.

      nbcertcmd -createToken -name token_name

      The token name is not important to this procedure. When the command runs, it displays the token string value. Note this value as it is necessary for the next command.

    • On the inactive node, use the authorization token with the nbcertcmd command to store the host certificate.

      nbcertcmd -getCertificate -token

      This command prompts you for the token string value. Enter the token string from the nbcertcmd -createToken command.

Additional information about certificates is available. Please see the section on deploying certificates on primary server nodes in the NetBackup Security and Encryption Guide.

Feedback

Was this page helpful?
Previous

Move the NetBackup database from any btrfs file systems

Next

Notifications, Messages, and Resiliency configuration information are not upgraded

Feedback

Was this page helpful?