Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Troubleshooting Guide
  5. Troubleshooting procedures
  7. Troubleshooting security certificate revocation
  9. Troubleshooting issues with external CA-signed certificate revocation
NetBackup™ Troubleshooting Guide

Troubleshooting issues with external CA-signed certificate revocation

The NetBackup CRL cache is updated with the required CRLs using either ECA_CRL_PATH or CDPs.

For more details, refer to the About certificate revocation lists for external CA chapter from the NetBackup Security and Encryption Guide.

Symptom

The certificate revocation list is unavailable (NetBackup status code - 5982)

Cause

  • The NetBackup is not configured with correct CRL path or the certificate does not contain valid CDP.

  • The host does not have a CRL cached in the NetBackup CRL cache.

Resolution
  1. If the ECA_CRL_PATH setting is specified in the NetBackup configuration file, ensure the following:

    • ECA_CRL_PATH has the correct CRL directory path

    • CRL directory contains CRLs for all required certificate issuers (based on the ECA_CRL_CHECK setting)

    If the CDP is used (ECA_CRL_PATH is not specified)

    • Ensure that the certificate has at least one CDP (with HTTP/HTTPS protocol) that points to a CRL that includes revocation information for all reasons.

    • CDP URL is accessible.

  2. Ensure that the CRL is valid in the directory specified for ECA_CRL_PATH or at CDP location.

    • CRL is in PEM or DER format.

    • CRL is not expired.

    • CRL is not a delta CRL.

    • CRL's last update date is not in future.

  3. If the bpclntcmd -crl_download service is running, terminate it using the bpclntcmd -terminate command and retry the operation.
  4. Examine the required CRLs are available in the NetBackup CRL cache at the following location:

    UNIX:/usr/openv/var/vxss/crl

    Windows: install_path\NetBackup\var\vxss\crl

  5. If the issue persists, examine bpclntcmd logs at the following location:

    UNIX: /usr/openv/netbackup/logs/bpclntcmd

    Windows: install_path\NetBackup\logs\bpclntcmd

Symptom

The NetBackup is functioning correctly even if the certificate is revoked or the NetBackup operations are failing with the error 'certificate is revoked' even if the certificate is not revoked.

Cause

The NetBackup host's CRL cache is not updated.

Resolution
  1. Verify if the CRLs at the following location are updated:

    UNIX: /usr/openv/var/vxss/crl

    Windows: install_path\NetBackup\var\vxss\crl

    If not, cleanup the cached CRLs for issuers in the certificate chain as per the ECA_CRL_CHECK setting.

    For cleanup operation, use the nbcertcmd -cleanupCRLCache -issuerHash SHA-1_hash_of_CRL_issuer_name command.

  2. If the ECA_CRL_PATH setting is specified in the NetBackup configuration file, ensure that it contains the latest CRLs for all the required issuers.
  3. If the bpclntcmd -crl_download service is running, terminate it using the bpclntcmd -terminate command and retry the operation.

Feedback

Was this page helpful?
Previous

Determining a NetBackup host's certificate state

Next

About troubleshooting networks and host names

Feedback

Was this page helpful?