SOLVED: How To Recreate Backup Exec Certificates to Fix Establish Trust Problems

UPDATED: March 7 2024

If you are using Backup Exec you are aware that there is a trust relationship that is required between the backup exec and any clients computers that it is backing up. That trust is established through certificates which are NOT managed by Windows Certificate Manager (certlm.mmc). Backup Exec certificates are stored in its program files.

We recently had a seemingly bizarre situation in which our customers Backup Exec showed that the last successful backup occurred in the year 2036 (specifically 1/7/2036). That seems highly unlikely:

Much more importantly, Backup Exec would error out trying to run backups and would fail to “Establish Trust”.

The solution was to recreate the certificates used by Backup Exec, which turned out to be incredibly easy:

1. Stop ALL of the Backup Exec Services
   • You may have to END TASK on a few of them – we usually do
2. Butt Coverage – Copy all of the .CRT and .KEY files from C:\Program Files\Symantec\Backup Exec\Data to a safe place
   • NOTE – this path will change with every new owner of BUExec. Ours was in a SYMANTEC folder, but yours might be in a VERITAS folder
   • Like a new folder on your desktop
3. Delete ALL of the .CRT and .KEY files from C:\Program Files\Symantec\Backup Exec\Data
4. Start ALL of the Backup Exec Services
   • Confirm there are a bunch of new .CRT and .KEY files in C:\Program Files\Symantec\Backup Exec\Data
5. In Backup Exec, right click on a server and select ESTABLISH TRUST.
   • If all works, you can safely delete the files you copied in step 2 above
6. If you see the NEXT BACKUP JOB DATE as still being well into the future (i.e 2036), right click on the server and select RUN START NEXT BACKUP JOB NOW
7. Have a nice day