Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Cloud Administrator's Guide
  5. Managing and protecting cloud assets
  7. Configure CloudPoint servers in NetBackup
  9. Configure a third-party CA certificate
NetBackup™ Web UI Cloud Administrator's Guide

Configure a third-party CA certificate

You can use a self-signed or a third-party certificate to validate your CloudPoint server.

Consider the following points:

  • For Windows, you can give a certificate as a file path or install the third party certificate in the Trusted Root Certificates authorities.

  • To switch from a self-signed certificate to a third-party certificate for an already added CloudPoint server, you can update the tpconfig command or edit the CloudPoint server API or from NetBackup WebUI.

To configure a third-party CA certificate

  1. Generate the third party certificate and private key for your CloudPoint server.
  2. Run the ./cloudpoint/scripts/cp_certificate_management.sh script to upload your certificate and keys to the CloudPoint server.
  3. In NetBackup, create a certificate file and append the certificate of root and all intermediate CAs in the pem file.
  4. In the bp.conf file, create the following entries:

    • ECA_TRUST_STORE_PATH = /certificate.pem

    • (Optional) VIRTUALIZATION_CRL_CHECK = CHAIN

    • (Optional) ECA_CRL_PATH = /crls

      Note:

      • The ECA_CRL_PATH option specifies the path to the directory where the Certificate Revocation Lists (CRL) of the external certificate authority (CA) are located. All files in ECA_CRL_PATH must be in pem format.

      • VIRTUALIZATION_CRL_CHECK option is only required if you want to check the revocation status of the certificate. By default, the VIRTUALIZATION_CRL_CHECK option is disabled.

      • You can disable, LEAF, or CHAIN the value of the VIRTUALIZATION_CRL_CHECK option. For LEAF, revocation status of the leaf certificate is validated against the CRL. For CHAIN, revocation status of all certificates from the certificate chain are validated against the CRL.

  5. Add the CloudPoint server to NetBackup or run the tpconfig command to update the certificate for a CloudPoint server already added to NetBackup.

    Note:

    Following should be the order in which the certificates are uploaded:

    • Leaf

    • Intermediate

    • Root

If the certificates are not uploaded in the correct order, the CloudPoint might not work.

Feedback

Was this page helpful?
Previous

Configure CloudPoint servers in NetBackup

Next

Add a CloudPoint server

Feedback

Was this page helpful?