Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ for Cloud Object Store Administrator's Guide
  3. Managing Cloud object store assets
  4. Adding Cloud object store accounts
  5. Check certificate for revocation
NetBackup™ for Cloud Object Store Administrator's Guide

Check certificate for revocation

For all the cloud providers, NetBackup provides the capability to verify the revocation status of SSL certificates using the Online Certificate Status Protocol (OCSP). If SSL and the Check certificate revocation option are both enabled, NetBackup verifies each SSL certificate. To verify, NetBackup makes an OCSP request to the CA to check the revocation status of the certificate presented during the SSL handshake. NetBackup does not connect to the cloud provider, if the status is returned as revoked or it fails to connect to the OCSP endpoint present in the SSL certificate.

To enable validation, update the Check certificate revocation property from the Cloud object store account dialog.

Requirements for enabling the Check certificate revocation option
  • OCSP endpoints are HTTP thus, turn off any firewall rule that blocks HTTP (port 80) connections to external networks. For example, http://ocsp.sca1b.amazontrust.com

  • OCSP URL is dynamically retrieved from the certificate; thus, disable any firewall rule that blocks unknown URLs.

  • Typically, the OCSP URL's endpoint supports IPV4. For IPV6 environments, disable the Check certificate revocation option.

  • Private Clouds typically have a self-signed certificate. Thus, for private clouds, Check certificate revocation is not required. Disable this check while configuring the account; otherwise, account creation fails.

  • The OSCP URL of the CA should be present in the certificate's Authority Information Access extension.

Feedback

Was this page helpful?
Previous

Creating cross-account access in AWS

Next

Managing Certification Authorities (CA) for NetBackup Cloud

Feedback

Was this page helpful?