Client Certificates

Commvault implements its own Certificate Authority (CA) service running on the CommServe host. In addition to creating CA certificates, the CA service also creates client certificates, which allows the CommCell environment to authenticate connections between client computers and the CommServe host.

During the installation of a client computer into a CommCell environment, the installer uses built-in certificates to authenticate connections with the CommServe host. At the end of the installation, a CommCell-specific client certificate is automatically created and assigned to the client. After the certificate is assigned to the client, the client uses this unique certificate to authenticate itself in all network connections and refuses connections from other Commvault clients that are not part of this CommCell environment. Each client in the CommCell environment has a unique client certificate.

The following are general rules about CA certificates and client certificates:

  • When a CA certificate is manually renewed, the CommServe host does the following:

    • Pushes the new CA certificate to each remote client.

    • Creates and pushes a new client certificate to each remote client.

  • When a new CA certificate is automatically generated due to expiration of an old CA certificate, it does not not generate new certificates for remote clients at that time. Instead, when an old client certificate is about to expire, each client pulls a new client certificate created by the CA.

  • 14 days before the expiration date of the old CA certificate, each remote client pulls a new CA certificate for itself.

You can configure the CommServe host to enforce the use of client certificates during client installations and to refuse connections using built-in certificates.


  • Commvault generates client certificates based on 2048-bit RSA keys.

  • Matching RSA private keys are stored on the clients in 3DES-encrypted envelopes (by default), and are never transmitted across the network. To change the ciphers used to generate the client private keys, see Changing the Ciphers Used to Generate Client Private Keys.

  • Client certificates authenticate all tunnel connections using the TLS 1.2 protocol.