SSL Certificates Handshake

SSL certificates are installed on the following components in the Veeam Cloud Connect infrastructure:

• The SSL certificate with a public key and private key is installed on the SP Veeam backup server. The tenant account under which the Veeam Cloud Connect Service runs must have permissions to access this SSL certificate.
• The SSL certificate with a public key is installed on all tenants’ Veeam backup servers (in case of self-signed certificates).

When the tenant starts a job or task targeted at the cloud repository or the cloud host, the parties perform an SSL handshake to authenticate themselves:

1. To connect to Veeam Cloud Connect resources (cloud repository and/or cloud host), the Veeam backup server on tenant's side first sends a request to the cloud gateway.
2. The cloud gateway passes this request to the SP Veeam backup server.
3. The SP Veeam backup server exposes an SSL certificate installed on it to tenant's Veeam backup server via the cloud gateway.
4. Tenant's Veeam backup server checks if the exposed SSL certificate is trusted or matches the SSL certificate saved in the Veeam Backup & Replication database.
5. The SP Veeam backup server establishes a secure communication channel in the Veeam Cloud Connect infrastructure, and VM data from tenant’s side is transported to the cloud repository or cloud host.

Veeam Backup & Replication supports both wildcard certificates and certificates that have multiple FQDNs listed in the Subject or Subject Alternative Name field.

If you use a wildcard certificate (like *.domain.com), cloud gateways having DNS names that do not include .domain.com will not be trusted, and Veeam Backup & Replication will not use these cloud gateways for communication with the cloud repository.