Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Veritas NetBackup™ Security and Encryption Guide
  3. Read this first for secure communications in NetBackup
  4. How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
Veritas NetBackup™ Security and Encryption Guide

How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation

The following diagram illustrates how NetBackup CA-signed certificates are deployed on hosts during installation:

NetBackup certificate deployment occurs in the following order:

  1. A NetBackup certificate is automatically deployed on the NetBackup master server during installation. The master server is the NetBackup CA.

  2. A NetBackup certificate is deployed on Host 1 during installation after confirming the CA fingerprint that is made available by the installation wizard or the script.

    An authorization token is not required because the certificate deployment security level on the master server is set to High and Host 1 is known to the master server.

    Note:

    A fingerprint is used to authenticate the CA of the master server before it is added to the trust store of a host. The master server administrator communicates the CA fingerprint to the host administrators by email or file, or publishes it on a website.

    Note:

    An authorization token is used as a mechanism to authorize a host's certificate request that is sent to the NetBackup master server. An authorization token is confidential and only the master server administrator can create it. The master server administrator then passes it on to the administrator of the host where you want to deploy a certificate. A reissue token is a special authorization token that is used to redeploy a certificate on a host to which a certificate was previously issued.

    If you continued with the NetBackup installation without confirming the master server fingerprint, you need to carry out manual steps before backups and restores can occur.

    https://www.veritas.com/support/en_US/article.000127129

  3. A NetBackup certificate is deployed on Host 2 during installation after the master server fingerprint is confirmed. An authorization token is required, because the certificate deployment security level on the master server is set to High and Host 2 is not known to the master server.

Feedback

Was this page helpful?
Previous

About secure communication in NetBackup

Next

How secure communication works with master server cluster nodes

Feedback

Was this page helpful?