Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Veritas NetBackup™ Security and Encryption Guide
  3. Section II. Encryption of data in transit
  4. External CA and external certificates
  5. Configuring the master server to use an external CA-signed certificate
Veritas NetBackup™ Security and Encryption Guide

Configuring the master server to use an external CA-signed certificate

A NetBackup host ID-based certificate is deployed on the master server during installation or upgrade. You can configure the master server to use an external CA-signed certificate after installation. It includes:

  • Defining the external certificate configuration options

    See Configuration options for external CA-signed certificates.

  • Enrolling the external certificate for the master server host

    The enrolled certificate is used for communication between the host and the master server domain that is listed in the SERVER configuration option on the host.

See Viewing external CA-signed certificates in the NetBackup web UI.

See Configuring an external certificate for a clustered master server.

Important notes
  • Ensure that the NetBackup domain is enabled to use external CA-signed certificates by configuring the NetBackup web server.

    See Configuring an external certificate for the NetBackup web server.

  • External certificates for the NetBackup web server and the master server must be issued by the same root certificate authority.

    If the two certificate authorities do not match, communication between the NetBackup Administration Console and the NetBackup Web Management Console service (nbwmc service) fails.

  • Ensure that the certificate revocation lists (CRLs) for the external CA are stored at the required location.

    If CRL distribution point (CDP) is used, ensure that the URLs that are specified in the CDP are accessible.

    See About certificate revocation lists for external CA.

To configure the master server to use an external certificate

  1. Update the NetBackup configuration file (bp.conf file on UNIX or Windows registry) on the master server with the external certificate-specific parameters.

    See Configuration options for external CA-signed certificates.

    For Windows certificate store

    Use the nbsetconfig command to configure the following parameters:

    • ECA_CERT_PATH

    • ECA_CRL_CHECK (optional)

    • ECA_CRL_PATH (optional)

    • ECA_CRL_PATH_SYNC_HOURS (optional)

    • ECA_CRL_REFRESH_HOURS (optional)

    • ECA_DR_BKUP_WIN_CERT_STORE (optional)

    For file-based certificates

    Use the nbsetconfig command to configure the following parameters:

    • ECA_CERT_PATH

    • ECA_PRIVATE_KEY_PATH

    • ECA_TRUST_STORE_PATH

    • ECA_KEY_PASSPHRASEFILE (optional)

    • ECA_CRL_CHECK (optional)

    • ECA_CRL_PATH (optional)

    • ECA_CRL_PATH_SYNC_HOURS (optional)

    • ECA_CRL_REFRESH_HOURS (optional)

    Note:

    If you have a Flex Appliance application instance, the certificate files must be stored in the following directories on the instance:

    ECA_CERT_PATH, ECA_PRIVATE_KEY PATH, and ECA_TRUST_STORE_PATH: /mnt/nbdata/hostcert/

    ECA_CRL_PATH: /mnt/nbdata/hostcert/crl

  2. Run the following command on the master server to enroll an external certificate with the master server domain that is defined in the SERVER option:

    nbcertcmd -enrollCertificate

    For more details on the command, refer to the NetBackup Commands Reference Guide.

Feedback

Was this page helpful?
Previous

Removing the external certificate configured for the web server

Next

Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation

Feedback

Was this page helpful?