Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Troubleshooting Guide
  5. Troubleshooting procedures
  7. Troubleshooting issues with private key encryption
NetBackup™ Troubleshooting Guide

Troubleshooting issues with private key encryption

This topic provides information on how to troubleshoot issues that are specific to private key encryption.

Passphrases are used to encrypt and decrypt the private keys of NetBackup host ID-based certificates. Passphrase keys are used to encrypt and decrypt these passphrases.

The private key of the NetBackup certificate is stored in an encrypted format using AES_256_CBC encryption. The password that is used to encrypt the private keys is stored in file storage and is encrypted using AES_256_GCM encryption.

Private key encryption file paths

Keystore location:

On Windows: Install path\NetBackup\var\vxss\credentials\keystore

Linux: /usr/openv/var/vxss/credentials/keystore

Keystore location for cluster:

/usr/openv/var/global/vxss/credentials/keystore

Nbcert logs:

On Windows: Install path\NetBackup\logs\nbcert

On Linux: /usr/openv/netbackup/logs/nbcert

Passphrase file path: keystorepath + .yekekp

Passphrase key file path: keystorepath + .yekcneekp

certmapinfo.json file path:

On Windows: Install path\NetBackup\var\vxss\certmapinfo.json

On Linux: /usr/openv/var/vxss/certmapinfo.json

Table:

Sr. No.

Issue

Possible reason

Resolution

1

Command: nbcertcmd -listcertdetails

Output:
Private Key Encryption State:
 Encrypted with an unknown 
passphrase

The private key file is tampered.

  1. Clean up the private key file for the server.

  2. Run the following command on all the servers that are associated with the host:

    • nbcertcmd -getCertificate -token reissue_token -server server host name -force

2

For the following problem scenarios, the reason and the resolution are the same:

Command: nbcertcmd -listcertdetails

Output:

Private Key 
Encryption State: Encrypted 
with an unknown passphrase

Command: nbcertcmd -rotatePassphrasekey 

The passphrase 
key rotation failed.
EXIT STATUS 1200: Internal 
error

The passphrase file or the passphrase key file is tampered.

  1. Check the last modification date of the passphrase file.

  2. Clean up the keystore folder including the hidden files.

  3. Run the following command on all the servers that are associated with the host:

    • nbcertcmd -getCertificate -token reissue_token -server server host name -force

3

While you perform catalog restore after the fresh NetBackup installation, you can see both the newly-created private keys from the fresh installation and the restored ones.

Command:

ls -la

total 20 drwx------ 2 nbsvcusr nbsvcusr 171 Jun 19 19:38

drwx------ 3 nbsvcusr nbsvcusr 133 Jun 19 19:25 ..

-rw------- 1 nbsvcusr nbsvcusr 1858 Jun 19 19:38

015b91f5-74b5-44fb- 865f-6d65827cdb30-key.pem

-rw------- 1 nbsvcusr nbsvcusr 1858 Jun 19 19:38

015b91f5-74b5-44fb-865f- 6d65827cdb3r-key.pem

Restoring the catalog reintegrates the existing private keys and passphrase files into the keystore. The keystore then includes both the newly-created private keys from the fresh installation and the restored ones.

  • Clear the private key files that do not have entry in the certmapinfo.json file.

Location of the certmapinfo.json file on Unix: /usr/openv/var/vxss/certmapinfo.json

4

The following notification is seen on the NetBackup web UI:

Reissuing the host certificates during private key encryption failed for the following hosts: host1

Reissue of the certificate is attempted during the private key encryption operation.

  • Run the following command:

    nbcert -listCertDetails -json

    The subsequent restart of the services may encrypt all the private keys and the output of this command shows all the keys in the Encrypted state.

If all the keys are not encrypted, run one of the following commands for the private keys with state other than Encrypted:

  • nbcertcmd -reissuecertificates -server server

  • nbcertcmd -getCertificate -token reissue_token -server server host name -force

5

The attempt to rotate the passphrase failed, the private key files and the passphrase file could not be restored.

Command: [root@example keystore]

nbcertcmd -rotatepassphrase

This operation performs the rotation of passphrase that encrypts the private key of the host ID-based certificates.

It is strongly recommended that you stop the NetBackup services before you perform this operation. Ensure that you restart the services after the operation is performed.

Are you sure you want to proceed with this operation? (y/n) y 

The passphrase 
rotation failed.
EXIT STATUS 9141: Keystore 
is in inconsistent state.

Command:
ls -la
total 20
drwx------ 2 nbsvcusr 
nbsvcusr  176 Jul 16 11:55 .
drwx------ 3 nbsvcusr 
nbsvcusr  133 Jul  4 22:24 ..
-rw------- 1 nbsvcusr 
nbsvcusr 1858 Jul 16 11:51 
5176ec69-d3cb-44d7-a229-
799555b7bd7e-key.pem
-rw------- 1 nbsvcusr 
nbsvcusr 1858 Jul 16 11:54
 5176ec69-d3cb-44d7-a229-
799555b7bd7e-key.pem_bkup
-rw------- 1 nbsvcusr 
nbsvcusr 1858 Jul 16 11:51 
PrivKeyFile-2048.pem
-rw-r--r-- 1 nbsvcusr 
nbsvcusr 1072 Jul 16 11:51
 .yekcneekp
-rw-r--r-- 1 nbsvcusr 
nbsvcusr 271 Jul 16 11:52
 .yekekp

The restore operation failed because of the absence of backup files or an issue with the file rewrite process.

  • Check if the backup files are present(files that have the suffix '_bkup') in the same keystore folder.

  • Perform following:

    • Verify the status using

      nbcertcmd -listcertdetails

    • If all the primary servers are showing the private key encryption status as Encrypted, clean up the backup files manually and retry the rotation operation.

  • If the issue still persists, check the following:

    • If some of the primary servers show a private key and the encryption status is 'encrypted with unknown passphrase', restore the passphrase file and the corresponding private key files.

    • Again, check the status using

      nbcertcmd -listcertdetails. Verify if the correct encryption status is shown for the remaining private keys. If it does, retry the rotation operation.

  • If the issue still persists, check the following:

    • If backup files are not present and the command

      nbcertcmd -

      listcertdetails

      shows the incorrect encryption status, clean up the keystore.

    • Run

      nbcertcmd -getCertificate

      with the reissueToken option for all servers.

Feedback

Was this page helpful?
Previous

Troubleshooting connections to the NetBackup Scale-Out Relational Database

Next

Troubleshooting issues with the security configuration risk feature

Feedback

Was this page helpful?