Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Troubleshooting Guide
  5. Troubleshooting procedures
  7. Troubleshooting security certificate revocation
  9. Determining a NetBackup host's certificate state
NetBackup™ Troubleshooting Guide

Determining a NetBackup host's certificate state

If NetBackup CA-signed certificate is used

You can determine the state of a NetBackup certificate: Active or Revoked. Doing so may help troubleshoot connection and communication problems. Three methods exist to determine a certificate state, as follows:

Verify a host certificate from the host itself

The method uses the NetBackup nbcertcmd command.

See “To verify the host's certificate state from the host”.

Verify a host certificate from a NetBackup server

The method uses the NetBackup bptestbpcd command.

See “To verify from a NetBackup server if a different host's certificate is revoked”.

Verify a host certificate from the host itself

See “To verify a host's certificate”.

To verify the host's certificate state from the host

  1. Optionally, on the NetBackup host run the following command as an administrator to get the most recent certificate revocation list:

    UNIX: /usr/openv/netbackup/bin/nbcertcmd -getCRL [-server primary_server_name]

    Windows: install_path\NetBackup\bin\nbcertcmd -getCRL [-server primary_server_name]

    To get a CRL from a NetBackup domain other than the default, specify the -server primary_server_name option and argument.

  2. On the NetBackup host, run the following command as an administrator:

    UNIX: /usr/openv/netbackup/bin/nbcertcmd -hostSelfCheck [-cluster] [-server primary_server_name]

    Windows: install_path\NetBackup\bin\nbcertcmd -hostSelfCheck [-cluster] [-server primary_server_name]

    Use one or both of the following options if necessary:

    -cluster

    Use this option on the active node of a NetBackup primary server cluster to verify the certificate of the virtual host.

    -server

    Use this option with the primary_server_name argument to verify a certificate from a primary server other than the default.

  3. Examine the command output. The output indicates that either the certificate is or is not revoked.

To verify from a NetBackup server if a different host's certificate is revoked

  1. As an administrator on the NetBackup primary server or a NetBackup media server, run the following command:

    UNIX: /usr/openv/netbackup/bin/admincmd/bptestbpcd - host hostname -verbose

    Windows: install_path\NetBackup\bin\bptestbpcd - host hostname -verbose

    For - host hostname, specify the host for which you want to verify the certificate.

  2. Examine the command output. If the certificate on the specified host is revoked, the command output includes the string The Peer Certificate is revoked. If the command output does not include that string, the certificate is valid.

To verify a host's certificate

  1. Open the NetBackup web UI.
  2. On the left, click Security > Certificates.
  3. Click the certificate name to examine the status of the certificate.
If external CA-signed certificate is used

You can determine the state of an external CA-signed host certificate: Active or Revoked. Doing so may help troubleshoot connection and communication problems.

Two methods exist to determine a certificate state, as follows:

Verify a host certificate from the host itself

See “To verify a host certificate from the host itself”.

Verify a host certificate from a NetBackup server

See “To verify from a NetBackup server if a different host's certificate is revoked”.

To verify a host certificate from the host itself

  1. Refresh the CRLs in the NetBackup CRL cache.

    See Troubleshooting issues with external CA-signed certificate revocation.

  2. On the NetBackup host, run the following command as an administrator:

    UNIX: /usr/openv/netbackup/bin/nbcertcmd -hostSelfCheck [-cluster]

    Windows: install_path\NetBackup\bin\nbcertcmd -hostSelfCheck [-cluster]

    Use the -cluster option on the active node of a clustered primary server to verify the certificate of the virtual name.

  3. Examine the command output. The output indicates whether the certificate is revoked or not.

To verify from a NetBackup server if a different host's certificate is revoked

  1. As an administrator on the NetBackup primary server or a NetBackup media server, run the following command:

    UNIX: /usr/openv/netbackup/bin/admincmd/bptestbpcd -host hostname -verbose

    Windows: install_path\NetBackup\bin\bptestbpcd -host hostname -verbose

    For -host hostname, specify the host for which you want to verify the certificate.

  2. Examine the command output. If the certificate on the specified host is revoked, the command output includes the string 'The Peer Certificate is revoked'. If the command output does not include that string, the certificate is valid.

Feedback

Was this page helpful?
Previous

Primary server security certificate is revoked

Next

Troubleshooting issues with external CA-signed certificate revocation

Feedback

Was this page helpful?