Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deduplication Guide
  3. MSDP cloud support
  4. About AWS IAM Role Anywhere support
  5. Configure IAM Role Anywhere in AWS
  6. Create the required certificates
NetBackup™ Deduplication Guide

Create the required certificates

You can create a CA cert through Amazon's private CA authority which is chargeable by Amazon or by setting up a private CA authority and creating a CA certificate, at no cost.

To use an Amazon private CA resource, refer to AWS documentation here:

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html

To create a CA certificate for free by setting up a private CA authority and creating a CA certificate, see:

https://docs.aws.amazon.com/rolesanywhere/latest/userguide/getting-started.html

Using you your certificate and the key
  1. Use the root CA certificate file to create a Trust Anchor in AWS.

  2. Use the self signed CA certificate file and the private key created from the root CA certificate in NetBackup for authentication.

For AWS certificate specifications, see:

https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html

Signature validation

To authenticate a request for credentials, IAM Roles Anywhere validates the incoming signature by using the signature validation algorithm required by the key type of the certificate, for example RSA or ECDSA. After validating the signature, IAM Roles Anywhere checks that the certificate was issued by a certificate authority configured as a trust anchor in the account using algorithms defined by public key infrastructure X.509 (PKIX) standards.

End entity certificates must satisfy the following constraints to be used for authentication:

  • The certificates MUST be X.509v3.

  • Basic constraints MUST include CA: false.

  • The key usage MUST include Digital Signature.

  • The signing algorithm MUST include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected.

Certificates used as trust anchors must satisfy the same requirements for the signature algorithm, but with the following differences:

  • The key usage must include Certificate Sign, and may include CRL Sign. Certificate Revocation Lists (CRLs) are an optional feature of IAM Roles Anywhere.

  • Basic constraints MUST include CA: true.

Feedback

Was this page helpful?
Previous

Configure IAM Role Anywhere in AWS

Next

Create the trust anchor

Feedback

Was this page helpful?