Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ for Kubernetes Administrator's Guide
  3. Deploying certificates on NetBackup Kubernetes operator
  4. Perform Host-ID-based certificate operations
NetBackup™ for Kubernetes Administrator's Guide

Perform Host-ID-based certificate operations

Ensure that the primary server is configure in the NBCA mode. To check if the NBCA mode is on, run the command: /usr/openv/netbackup/bin/nbcertcmd -getSecConfig -caUsage.

The output looks like this:

NBCA: ON
ECA: OFF

HostID based certificate specification looks like this:

apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
  name: backupservercert-sample
  namespace: kops-ns
spec:
  clusterName: cluster.sample.com:port
  backupServer: primaryserver.sample.domain.com
  certificateOperation: Create | Update | Remove
  certificateType: NBCA
  nbcaAttributes:
    nbcaCreateOptions:
      secretName: "Secret name consists of token and fingerprint"
    nbcaUpdateOptions:
      secretName: "Secret name consists of token and fingerprint"
      force: true
    nbcaRemoveOptions:
      hostID: "hostId of the nbca certificate. You can view on Netbackup UI"

Table: HostID based certificate operations

Operation type

Options and comments

Create

secretName: Name of the secret which contains a token and fingerprint.

Remove

hostID: Host identification of the NBCA certificate.

Update

secretName: Name of the secret which contains a token and fingerprint.

Creating a HostID based certificate for Kubernetes operator

You can create a HostID based certificate for Kubernetes operator using the following procedure.

To create HostID based certificate for Kubernetes operator

  1. On the backup server run the following command and get the SHA-256 fingerprint.

    /usr/openv/netbackup/bin/nbcertcmd -listCACertDetails

  2. To create an authorization token, refer to the Creating authorization tokens section in the NetBackup™ Security and Encryption Guide.
  3. To create a reissue token, if required, refer to the Creating a reissue token section in the NetBackup™ Security and Encryption Guide.
  4. Create a secret with token and fingerprint.
  5. Provide a token as it is mandatory irrespective of security level.

    Token-fingerprint-secret.yaml looks like this:

    apiVersion: v1
    kind: Secret
    metadata:
      name: secret-name
      namespace: kops-ns
    type: Opaque
    stringData:
      token: "Authorization token | Reissue token"
      fingerprint: "SHA256 Fingerprint"
    • Copy the Token-fingerprint-secret.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  6. To create the Token-fingerprint-secret.yaml file, run the command: kubectl create -f Token-fingerprint-secret.yaml
  7. Create a backupservercert object with the

    nbcaCreateOptions and then specify a secret name.

    nbca-create-backupservercert.yaml looks like this:

    apiVersion: netbackup.veritas.com/v1
    kind: BackupServerCert
    metadata:
      name: backupserver-nbca-create
      namespace: kops-ns
    spec:
      clusterName: cluster.sample.com:port
      backupServer: backupserver.sample.domain.com
      certificateOperation: Create
      certificateType: NBCA
      nbcaAttributes:
        nbcaCreateOptions:
          secretName: nbcaSecretName with token and fingerprint
    • Copy the nbca-create-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  8. To create the nbca-create-backupservercert.yaml file, run the command: kubectl create -f nbca-create-backupservercert.yaml
  9. Once the certificate is created, check custom resource status. If the custom resource status is successful, you can run Backup from Snapshot jobs.

    Note:

    You need to check that the BackupServerCert custom resource status is successful before initiating Backup from Snapshot or Restore from Backup Copy operations.

    Note:

    To renew host ID based certificate: NetBackup host ID certificate checks if it's due for renew after 24 hours cycle. Certificates get automatically renewed 180 days (6 months) before expiration date.

    Note:

    Ensure to check whether the NetBackup primary server clock and the NetBackup Kubernetes operator clock are in sync. For more details on the CheckClockSkew errors, refer to the Implication of clock skew on certificate validity section in the NetBackup™ Security and Encryption Guide.

Removing primary server certificate from Kubernetes operator

You can remove a certificate from a primary server if the server is not used for running the backup and restore operations.

To remove primary server certificate from Kubernetes operator.

  1. Log on to the NetBackup web UI and get a hostID for the certificate that you want to remove.

    To get the HostID for the certificate, refer to the Viewing host ID-based certificate details section in the NetBackup™ Security and Encryption Guide.

  2. Create a backupservercert with operation type remove.

    nbca-remove-backupservercert.yaml file looks like this:

    apiVersion: netbackup.veritas.com/v1
    kind: BackupServerCert
    metadata:
      name: backupserver-nbca-domain.com
      namespace: kops-ns
    spec:
      clusterName: cluster.sample.com:port 
      backupServer: backupserver.sample.domain.com
      certificateOperation: Remove
      certificateType: NBCA
      nbcaAttributes:
        nbcaRemoveOptions:
          hostID: nbcahostID
    • Copy the nbca-remove-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  3. To create the nbca-remove-backupservercert.yaml file, run the command: kubectl create -f nbca-remove-backupservercert.yaml
  4. To revoke the certificate, refer to the Revoking a host ID-based certificate section in the NetBackup™ Security and Encryption Guide.

    Note:

    Once the nbca-remove-backupservercert.yaml is applied, certificates are removed from the Kubernetes operator's local certificate store. But it's still present and valid in the NetBackup database. So, the certificate needs to be revoked.

Updating primary server certificates

Following is the scenario when you may want to update the certificates assuming that the certificates are readable and present in the Kubernetes operator:

When certificates present on the Netbackup Kubernetes operator are revoked, then certificates can be reissued with update operation. To resolve this issue, either you can update the server certificate or you can remove the server certificate and then create a new certificate.

Note:

If update certificate operation fails, you must remove the certificate first and then create a new certificate.

To update a primary server certificate on Kubernetes operator:

  1. Create a backupservercert object with the update operation:

    nbca-update-backupservercert.yaml file looks like this:

    apiVersion: netbackup.veritas.com/v1
    kind: BackupServerCert
    metadata:
      name: backupserver-nbca-update
      namespace:kops-ns
    spec:
      clusterName: cluster.sample.com:port
      backupServer: backupserver.sample.domain.com
      certificateOperation: Update
      certificateType: NBCA
      nbcaAttributes:
        nbcaUpdateOptions:
        secretName: "Name of secret containing 
    token and fingerprint"
        force: true
    • Copy the nbca-update-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  2. To create the nbca-udpate-backupservercert.yaml file, run the command: kubectl create -f nbca-update-backupservercert.yaml
  3. Once the backupservercert object is created, then check the custom resource status.

Feedback

Was this page helpful?
Previous

Deploy certificates on the Kubernetes operator

Next

Perform ECA certificate operations

Feedback

Was this page helpful?