Expired host-id certificates - how to remove?

Question

I noticed several host-id certificates as expired on one of my backup domains (running 8.1.2). This was mainly due to us not revoking them during the decommissioning process till around a few weeks ago.So, in an attempt to do a cleanup of the expired certs, I tried to revoke them and got the following:[root@master01 16:57 /]# /usr/openv/netbackup/bin/nbcertcmd -revokeCertificate -host expiredHost.domain.name
Request to revoke certificate has failed.
EXIT STATUS 5972: The certificate could not be revoked. It was already revoked or expired.What are my options for the cleanup for these host-id certs? other than assuming "expired" certificate is as good as revoked for a decommissioned client and I will have to reissue the certificate anyway in case a hostname is reused for a new VM.&nbsp;

marianne · Answer

Seems you have already seen this post:&nbsp;Re: Completely remove host certificates in 8.1that references Article&nbsp;100041506 that says :Currently, it is not possible to remove entries from either the Host Management or Certificate Management tables. If a NetBackup host is moved from one NetBackup Master Server to another or is decommissioned entirely, it continues to be impossible to remove the host entries from either of these two tables.

anshu_pathak · Answer

X2&nbsp;Marianne&nbsp;
1. Certificate expiration is set to one year from date of issue however after 6 months of active period, certificates get renewed automatically (something like DHCP lease). So in ideal case you should NOT have expired certiticate for any active client/server. There are two reasons why a certified will get expired (a) There is a problem with reissue process (b) Client/Server is not active (powered OFF, NBU services stopped or NBU uninstalled). Once certificate has expired it cannot be used. Certificate expiration happens automatically and is not done by administrator.
2. Certificate revocation is a manual process done by NetBackup administrator.
So certifiate expiration (automatically) and certificate revokation (manualy by administrator) are actually same thing from certificate point of view. It marks this certificate as unuseable. Only operation available on expired/revoked certificate is to generate a reissue token so that you can ask CA (master server) a new certificate for the same client.
The reason why you cannot delete expired/revoked certificates is the security. An administrator should know how many revoked/expired certificates are there in his environment. More important NetBackup will not allow reissue of these certificates without an administrator's intervation (generating reissue token).&nbsp;
&nbsp;

mouse · Answer

I guess for security reasons you can't remove them as NBU needs to know if the client had its cert revoked or not, this is definitely not great and it clogs the views, I'd expect that Veritas need to get an option to hide them

x2 · Answer

Hmm.. yeah, I knew that already but I was thinking there might be a way to revoke an expired certificate.

I could live with the expired certificates as they are effectively revoked if the client has been destroyed (along with certs).

Thanks Marianne

genericus · Answer

Nice response about certificate revocation and expiration, but the question is regarding removal.
revoked and expired certificates are left "hanging around" - how can we remove them...
&nbsp;

Forum Discussion

Expired host-id certificates - how to remove?

5 Replies

Related Content

Certificate Expiration

Client Certificate Expired

Certificates Expired

Certificate on master server expired

CLI Command to list Host ID