Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ for Kubernetes Administrator's Guide
  3. Deploying certificates on NetBackup Kubernetes operator
  4. Perform ECA certificate operations
NetBackup™ for Kubernetes Administrator's Guide

Perform ECA certificate operations

Before performing External Certificate Authority (ECA) create, update, and remove operations; you must configure the backup server in ECA mode.

To check if the ECA mode is on, run the command: /usr/openv/netbackup/bin/nbcertcmd -getSecConfig -caUsage.

The output looks like this:

NBCA: ON
ECA: ON

To configure the backup server in ECA mode, refer to the About external CA support in NetBackup section in the NetBackup™ Security and Encryption Guide

ECA certificate specification looks like this:

apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
  name: backupservercert-sample-eca
  namespace: kops-ns
spec:
  clusterName: cluster.sample.com:port
  backupServer: primaryserver.sample.domain.com
  certificateOperation: Create | Update | Remove
  certificateType: ECA
  ecaAttributes:
    ecaCreateOptions:
      ecaSecretName: "Secret name consists of cert, key, passphrase, cacert"
      copyCertsFromSecret: true | false
      isKeyEncrypted: true | false
    ecaUpdateOptions:
      ecaCrlCheck: DISABLE | LEAF | CHAIN
      ecaCrlRefreshHours: range[0,4380]

Table: ECA certificate operations

Operation type

Options and comments

Create

  • secretName: Name of secret containing cert, key, passphrase, cacert.

  • copyCertsFromSecret: Possible values are true and false. This option is added as the External CA is common across all primary servers. Same certificates can be enrolled to Kubernetes operator for all primary servers.

    Thus, there is no need to copy certs and keys every time. Copying of certificates and keys can be controlled with this option.

    If ECAHealthCheck fails due to something wrong with certs and keys, then the certificates must be copied again.

  • isKeyEncrypted; If the private key is encrypted, set this field as true else set it as false.

Remove

NA

Update

  • ecaCrlCheck: Lets you specify the revocation check level for external certificates.

    Possible values are DISABLE, LEAF, and CHAIN.

  • ecaCrlRefreshHours specifies the time interval in hours to download Certificate Revocation Lists.

    Possible values range between 0-4380

Creating ECA signed certificate

NetBackup supports Kubernetes operator on multiple primary servers for ECA. If the external CA is common across primary servers. It is mandatory to use Certificate Revocation List distribution point for fetching Certificate Revocation List dynamically during the communication.

To create ECA signed certificate

  1. Use the Certificate Revocation List distribution point to fetch Certificate Revocation List.
  2. Keep ECA signed certificate chain, private key, and passphrase (if required) ready in your home directory.
  3. To identify different formats (like, DER, PEM and so on) that are supported for each of the files mentioned in step 2. For more information, refer to the Configuration options for external CA-signed certificates section in the NetBackup™ Security and Encryption Guide.
  4. Create a secret using the files mentioned in step 3.
    • To create a secret if private key is unencrypted, run the command: kubectl create secret generic <Name of secret>

      --from-file=cert_chain=<File path to ECA signed certificate chain> --from-file=key=<File path to private key>

      --from-file=cacert=<File path to External CA certificate> -n <Namespace where kops is deployed>

    • To create a secret if private key is encrypted, run the command: kubectl create secret generic <Name of secret>

      --from-file=cert_chain=<File path to ECA signed certificate chain> --from-file=key=<File path to private key>

      --from-file=cacert=<File path to External CA certificate> --from-file=passphrase=<File path to passphrase

      of encrypted private key> -n <Namespace where kops is deployed>

    Directory structure looks like this:

    ├── cert_chain.pem
    ├── private
    |  |___key.pem
    |  |___passphrase.txt
    |___trusted
         |__cacerts.pem
    

    cert_chain.pem is ECA signed certificate chain

    private/key.pem is private key

    private/passphrase.txt is passpharse for private key

    trusted/cacerts.pem is External CA certificate

    • To create a secret of name eca-secret when private key is unencrypted, run the command:

      kubectl create secret generic eca-secret--from-file=cert_chain=cert_chain.pem

      --from-file=key=private/key.pem

      --from-file=cacert=trusted/cacerts.pem -n kops-ns

    • To create a secret of name eca-secret when private key is encrypted, run the command:

      kubectl create secret generic eca-secret

      --from-file=cert_chain=cert_chain.pem

      --from-file=key=private/key.pem

      --from-file=cacert=trusted/cacerts.pem

      --from- file=passphrase=private/passphrase.txt

      -n kops-ns

  5. Once the secret is created, then create a backupservercert object custom resource.

    eca-create-backupservercert.yaml file looks like this:

    apiVersion: netbackup.veritas.com/v1
    kind: BackupServerCert
    metadata:
      name: backupservercert-eca-create
      namespace: kops-ns
    spec:
      clusterName: cluster.sample.com:port
      backupServer: backupserver.sample.domain.com
      certificateOperation: Create
      certificateType: ECA
      ecaAttributes:
        ecaCreateOptions:
          ecaSecretName: eca-secret
          copyCertsFromSecret: true
          isKeyEncrypted: false
    • Copy the eca-create-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  6. To copy certificate and keys to the Kubernetes operator, do any of the following:
    • Set copyCertsFromSecret as true

    • Set copyCertsFromSecret as false to avoid copying certificates and keys existing on the Kubernetes Operator.

    Note:

    ECA is common across all primary server thus Kubernetes operator require one set of certificates and keys that can be enrolled with all primary servers as required. No need to copy certificates and keys every time unless there's issue with the previous copied certificates and keys.

    Note:

    If ecaHealthCheck fails due to any reason related to certificates and keys (corrupted or expired or changed ECA) then you identify the reason for failure and perform a copy of a valid certificate using a flag.

  7. If private key is encrypted, set isKeyEncrypted flag as true or else false for unencrypted key. Ensure passphrase is provided in secret if private key is encrypted.
  8. Set ecaSecretName with the secret name, created backupservercert yaml in step 5.
  9. To create the eca-create-backupservercert.yaml file, run the command: kubectl create -f eca-create-backupservercert.yaml
  10. Once the backupservercert custom resource is created, check the custom resource status.
  11. To view the external certificate details on the NetBackup web UI, refer to the View external certificate information for the NetBackup hosts in the domain section in the NetBackup™ Web UI Administrator's Guide.
Removing the ECA signed certificate

You can remove the ECA signed certificate from the primary server.

To remove ECA signed certificate

  1. Create a backupservercert with operation as remove and certificate type as ECA.

    eca-remove-backupservercert.yaml file looks like this:

    apiVersion: netbackup.veritas.com/v1
    kind: BackupServerCert
    metadata:
      name: backupservercert-eca-remove
      namespace: kops-ns
    spec:
      clusterName: cluster.sample.com:port
      backupServer: backupserver.sample.domain.com
      certificateOperation: Remove
      certificateType: ECA
    • Copy the eca-remove-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  2. To create the eca-remove-backupservercert.yaml file, run the command: kubectl create -f eca-remove-backupservercert.yaml
  3. Once the object is created, then you need to check the custom resource status. If failed, then you can take necessary actions.

These steps removes the external certificate details with respect to the specified primary server from the local certificate store. The certificate is neither deleted from the system nor from the NetBackup database.

If you want to disable ECA then refer to the Disabling an external CA in a NetBackup domain section in the NetBackup™ Security and Encryption Guide

If you enrolled ECA on the Kubernetes operator for a backup server but later reinstalled the backup server which supports just NBCA. Then, you have to remove ECA enrolment from Kubernetes operator because during nbcertcmd communication with backupserver CA support might get compared and if it mismatches then an error occurs.

Updating the ECA signed certificate

There are certain options that are configurable in ECA. You can configure these options through the update operations.

To update the ECA signed certificate

  1. Create a backupservercert object with operation type update.

    eca-update-backupservercert.yaml file looks like this:

    apiVersion: netbackup.veritas.com/v1
    kind: BackupServerCert
    metadata:
      name: backupservercert-eca-update
      namespace: kops-ns
    spec:
      clusterName: cluster.sample.com:port
      backupServer: backupserver.sample.domain.com
      certificateOperation: Update
      certificateType: ECA
      ecaAttributes:
        ecaUpdateOptions:
          ecaCrlCheck: DISABLE | LEAF | CHAIN 
          ecaCrlRefreshHours: [0,4380]
    • Copy the eca-update-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  2. To create the eca-update-backupservercert.yaml file, run the command: kubectl create -f eca-update-backupservercert.yaml
  3. The ECA_CRL_CHECK option lets you specify the revocation check level for external certificates of the host. It also lets you disable the revocation check for the external certificates. Based on the check, the revocation status of the certificate is validated against the Certificate Revocation List (CRL) during host communication. For more information, refer to the ECA_CRL_CHECK for NetBackup servers and clients section in the NetBackup™ Security and Encryption Guide.
  4. The ECA_CRL_REFRESH_HOURS option specifies the time interval in hours to download the CRLs from the URLs that are specified in the peer host certificate's Certificate Revocation List distribution points (CDP). For more information, refer to the ECA_CRL_REFRESH_HOURS for NetBackup servers and clients section in the NetBackup™ Security and Encryption Guide

Feedback

Was this page helpful?
Previous

Perform Host-ID-based certificate operations

Next

Identify certificate types

Feedback

Was this page helpful?