Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section IX. Managing security
  7. Managing security certificates
  9. Using external security certificates with NetBackup
  11. Configuring rotation of external CA-issued certificates for host communication
NetBackup™ Web UI Administrator's Guide

Configuring rotation of external CA-issued certificates for host communication

Rotation of external CA-signed certificates can now be configured using the NetBackup web UI and APIs.

This operation can be performed by a security administrator or a user with appropriate RBAC permissions. It is used to rotate external CA-issued certificates for BYO, Flex (including WORM containers), NetBackup Appliance, NetBackup Snapshot Manager hosts, and clustered primary server setups.

The operation is audited.

Terminology

  • ECA - External certificate authority

  • Certificate artifacts - refers to a set of certificates and associated information that is required for secure communication. Certificate artifacts include:

    • Certificate chain

    • Private key

    • Trust store

    • Passphrase

    • CRL check level (default : LEAF)

Important notes

  • External CA-issued certificate rotation is not supported for NetBackup Cloud Scale and NetBackup Flex Scale.

  • If a host is configured to use Windows Certificate Store, it starts using file-based certificates after certificate renewal.

  • It is advised that certificate rotation should be performed only under maintenance mode. Else, backup or restore jobs may fail.

  • Migration from NetBackup CA to external CA is not supported using these APIs.

Prerequisites

  • You should ensure that external certificates are already enrolled on the host before you configure certificate rotation.

  • To rotate external certificates using web UI or APIs for a particular host, it must have already enrolled valid external certificate.

  • The new certificate should have the same subject name as that of what is configured on the host. Except, when the setting externalCertificateIdentityField in enabled, in which case the subject name can be different but common name has to be the same.

  • Only CDP is supported as a CRL check for the certificate.

    If CRL check level is not DISABLE, upload of external certificate artifacts will fail in case CRL is not accessible from the primary server.

  • In case the CRLs are not accessible on the host, the host might not be able to connect to the primary after upload of external certificate artifacts , and the rotation of certificates might get stuck in an intermediate state.

  • CRL check level should be disabled if the certificate does not have a valid CDP URL, or it is not accessible by the host or the primary server.

  • The certificate chain size should be less than 40 KB. Else, the rotation process may fail during validation.

Workflow for external CA-signed certificate rotation process

Using the NetBackup web UI, you can upload certificate artifacts for a host. The rotation process is triggered when the client host uses the loginwithcert function every 24 hours. This triggers a chain of processes on the host as follows:

  • Downloading the certificate artifacts by the client

  • Performing validation of artifacts in a dry run with the primary server

  • Moving the files to the final location

  • Updating the configuration

As for the server, it retains these artifacts for 30 days. They are deleted earlier that 30 days if they are successfully downloaded and applied on the client host.

When the renewal process is complete, the certificates are automatically cleaned up. If a host does not connect to the primary server for 30 days, the artifacts for such host are cleaned up from the primary server.

You can check the current state of the certificate rotation process that is available in the External certificates tab, as part of the new Renewal status column.

See View certificate renewal status for a host.

Restrictions for uploading the certificate artifacts for rotation

  • Flex deployments only support certificate artifacts in PEM X509 format.

  • The upload option is not allowed for back-level hosts, and hosts that don't have ECA configured.

  • If the domain is in FIPS mode, ensure that the FIPS compliance is in place, for example certificate formats and key sizes are compliant.

Location of the certificates

The certificate artifacts are stored in the CMS on the server. After they are downloaded, they are stored at the following location:

For a clustered primary server host (virtual):

CA certificate path - Install_Path/var/global/vxss/

Certificate chain, private key, passphrase path - Install_Path/var/global/vxss/credentials/ecaartifacts/

For other hosts (including nodes of clustered primary server):

CA certificate path - Install_Path/var/vxss/

Certificate chain, private key, passphrase path - Install_Path/var/vxss/credentials/ecaartifacts/

Feedback

Was this page helpful?
Previous

View external certificate information for the NetBackup hosts in the domain

Next

Configure rotation of external certificates for a host

Feedback

Was this page helpful?