Forum Discussion

X2's avatar
X2
Moderator
7 years ago

Expired host-id certificates - how to remove?

I noticed several host-id certificates as expired on one of my backup domains (running 8.1.2). This was mainly due to us not revoking them during the decommissioning process till around a few weeks ago.

So, in an attempt to do a cleanup of the expired certs, I tried to revoke them and got the following:

[root@master01 16:57 /]# /usr/openv/netbackup/bin/nbcertcmd -revokeCertificate -host expiredHost.domain.name
Request to revoke certificate has failed.
EXIT STATUS 5972: The certificate could not be revoked. It was already revoked or expired.

What are my options for the cleanup for these host-id certs? other than assuming "expired" certificate is as good as revoked for a decommissioned client and I will have to reissue the certificate anyway in case a hostname is reused for a new VM.

 

5 Replies

  • Seems you have already seen this post: Re: Completely remove host certificates in 8.1
    that references Article 100041506 that says :
    Currently, it is not possible to remove entries from either the Host Management or Certificate Management tables. If a NetBackup host is moved from one NetBackup Master Server to another or is decommissioned entirely, it continues to be impossible to remove the host entries from either of these two tables.

    • X2's avatar
      X2
      Moderator

      Hmm.. yeah, I knew that already but I was thinking there might be a way to revoke an expired certificate.

      I could live with the expired certificates as they are effectively revoked if the client has been destroyed (along with certs).

      Thanks Marianne 

      • X2 Marianne 

        1. Certificate expiration is set to one year from date of issue however after 6 months of active period, certificates get renewed automatically (something like DHCP lease). So in ideal case you should NOT have expired certiticate for any active client/server. There are two reasons why a certified will get expired (a) There is a problem with reissue process (b) Client/Server is not active (powered OFF, NBU services stopped or NBU uninstalled). Once certificate has expired it cannot be used. Certificate expiration happens automatically and is not done by administrator.

        2. Certificate revocation is a manual process done by NetBackup administrator.

        So certifiate expiration (automatically) and certificate revokation (manualy by administrator) are actually same thing from certificate point of view. It marks this certificate as unuseable. Only operation available on expired/revoked certificate is to generate a reissue token so that you can ask CA (master server) a new certificate for the same client.

        The reason why you cannot delete expired/revoked certificates is the security. An administrator should know how many revoked/expired certificates are there in his environment. More important NetBackup will not allow reissue of these certificates without an administrator's intervation (generating reissue token).