Using Certificate Signed by Internal CA

To establish a secure connection between the backup server and the AHV Backup Proxy VM, Veeam Backup & Replication uses a TLS certificate. By default, Veeam Backup & Replication uses a self-signed certificate. Veeam Backup & Replication generates this certificate when you install the product on the machine.

In you want to use a certificate signed by your internal Certification Authority (CA), make sure that the following requirements are met:

• Veeam Backup & Replication server must trust the CA. That means that the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the Veeam Backup & Replication server.
• Certificate Revocation List (CRL) must be accessible from the Veeam Backup & Replication server.

A certificate signed by a CA must meet the following requirements:

1. The certificate subject must be equal to the fully qualified domain name of the Veeam Backup & Replication server. For example: vbrserver.domain.local.

2. The following key usage extensions must be enabled in the certificate to sign and deploy child certificates for the AHV Backup Proxy VM:

• Digital Signature
• Certificate Signing
• Off-line CRL Signing
• CRL Signing (86)

If you use Windows Server Certification Authority, it is recommended that you issue a Veeam Backup & Replication certificate based on the built-in "Subordinate Certification Authority" template or templates similar to it.

3. The key type in the certificate must be set to Exchange.

If you create a certificate request using the Windows MMC console, to specify the key type, do the following:

1. At the Request Certificates step of the Certificate Enrollment wizard, select a check box next to the necessary certificate template and click Properties.

2. In the Certificate Properties window, click the Private Key tab.
3. In the Key Type section, select Exchange.

To start using the signed certificate, you must select it from the certificates store on the Veeam Backup & Replication server. To learn more, see Importing Certificates from Certificate Store.

Reconnecting to AHV Backup Proxy

After you specify the signed certificate in Veeam Backup & Replication, AHV Backup Proxy is not able to communicate with the Veeam Backup & Replication server and backup jobs fail. To reconnect the Veeam Backup & Replication server to AHV Backup Proxy, do the following:

1. In the Veeam Backup & Replication console, open the Backup Infrastructure pane.
2. In the inventory pane, select the Backup Proxies node.
3. In the working area, select the AHV backup proxy and click Edit Proxy on the ribbon or right-click the AHV backup proxy and select Properties.
4. Edit AHV backup proxy settings as required. You will be requested to go through the same steps as you have followed when adding an AHV backup proxy.