Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section III. Configuring hosts
  7. Managing credentials for workloads and systems that NetBackup accesses
  9. Add a configuration for an external CMS server
  11. Add a credential for CyberArk
  13. Certificate revocation lists for CyberArk server
NetBackup™ Web UI Administrator's Guide

Certificate revocation lists for CyberArk server

Certificate revocation list (CRL) for an external certificate authority (CA) contains a list of digital certificates that the external CA has revoked before the scheduled expiration date and should no longer be trusted. NetBackup supports PEM and DER formats for CRLs for external CA. CRL's for all CRL issuers or external CA's are stored in the NetBackup CRL cache that resides on each host. During secure communication, NetBackup host verifies the revocation status of the peer host's external certificate with the CRL that is available in the NetBackup CRL cache, based on the CRL check level configuration option. For external CMS server, NetBackup supports CDP based server certificates.

NetBackup downloads the CRLs from the URLs that are specified in the peer host certificate's CDP and caches them in the NetBackup CRL cache.

To use CRL's from CDP:

  • Ensure that the host can access the URLs that are specified in the peer host's CDP.

  • Ensure that the CRL check level configuration option is set to a value other than DISABLE.

By default, CRLs are downloaded from the CDP after every 24 hours and updated in the CRL cache. To change the time interval, set the ECA_CRL_REFRESH_HOURS configuration option to a different value. To manually delete the CRL's from the CRL cache, run the nbcertcmd -cleanupCRLCache command. The NetBackup CRL cache contains only the latest copy of a CRL for each CA (including root and intermediate CAs). The bpclntcmd -crl_download service updates the CRL cache during host communication in the following scenarios irrespective of the time interval set for the ECA_CRL_REFRESH_HOURS options:

  • When CRLs in the CRL cache are expired.

  • If CRLs are available in the CRL source, but they are missing from the CRL cache.

For details of ECA_CRL_REFRESH_HOURS, refer to ECA_CRL_REFRESH_HOURS for NetBackup servers and clients section from NetBackup Security and Encryption Guide.

Note:

By default, the ECMS_HOSTS_SECURE_CONNECT_ENABLED flag is enabled (set to true). If this flag is enabled, the certificate deployed on the external CMS server must have Common Name or Subject Alternative Name that matches the host name of the external CMS server. Else, the connection to the external CMS server fails. For more information, see the ECMS_HOSTS_SECURE_CONNECT_ENABLED section in NetBackup™ Administrator's Guide, Volume I.

Feedback

Was this page helpful?
Previous

Add a credential for CyberArk

Next

Edit or delete the configuration for an external CMS server

Feedback

Was this page helpful?