Expired host-id certificates - how to remove?

I noticed several host-id certificates as expired on one of my backup domains (running 8.1.2). This was mainly due to us not revoking them during the decommissioning process till around a few weeks ago.

So, in an attempt to do a cleanup of the expired certs, I tried to revoke them and got the following:

[root@master01 16:57 /]# /usr/openv/netbackup/bin/nbcertcmd -revokeCertificate -host expiredHost.domain.name
Request to revoke certificate has failed.
EXIT STATUS 5972: The certificate could not be revoked. It was already revoked or expired.

What are my options for the cleanup for these host-id certs? other than assuming "expired" certificate is as good as revoked for a decommissioned client and I will have to reissue the certificate anyway in case a hostname is reused for a new VM.

 

Tags (2)
5 Replies

Re: Expired host-id certificates - how to remove?

Seems you have already seen this post: Re: Completely remove host certificates in 8.1
that references Article 100041506 that says :
Currently, it is not possible to remove entries from either the Host Management or Certificate Management tables. If a NetBackup host is moved from one NetBackup Master Server to another or is decommissioned entirely, it continues to be impossible to remove the host entries from either of these two tables.

Re: Expired host-id certificates - how to remove?

Hmm.. yeah, I knew that already but I was thinking there might be a way to revoke an expired certificate.

I could live with the expired certificates as they are effectively revoked if the client has been destroyed (along with certs).

Thanks @Marianne 

Highlighted

Re: Expired host-id certificates - how to remove?

@X2 @Marianne 

1. Certificate expiration is set to one year from date of issue however after 6 months of active period, certificates get renewed automatically (something like DHCP lease). So in ideal case you should NOT have expired certiticate for any active client/server. There are two reasons why a certified will get expired (a) There is a problem with reissue process (b) Client/Server is not active (powered OFF, NBU services stopped or NBU uninstalled). Once certificate has expired it cannot be used. Certificate expiration happens automatically and is not done by administrator.

2. Certificate revocation is a manual process done by NetBackup administrator.

So certifiate expiration (automatically) and certificate revokation (manualy by administrator) are actually same thing from certificate point of view. It marks this certificate as unuseable. Only operation available on expired/revoked certificate is to generate a reissue token so that you can ask CA (master server) a new certificate for the same client.

The reason why you cannot delete expired/revoked certificates is the security. An administrator should know how many revoked/expired certificates are there in his environment. More important NetBackup will not allow reissue of these certificates without an administrator's intervation (generating reissue token). 

 

Re: Expired host-id certificates - how to remove?

Nice response about certificate revocation and expiration, but the question is regarding removal.

revoked and expired certificates are left "hanging around" - how can we remove them...

 

NetBackup 8.1.2 on Solaris 11, writing to DataDomain 9800
duplicating via SLP to LTO5 in SL8500 via ACSLS
Tags (2)

Re: Expired host-id certificates - how to remove?

I guess for security reasons you can't remove them as NBU needs to know if the client had its cert revoked or not, this is definitely not great and it clogs the views, I'd expect that Veritas need to get an option to hide them