Help Center
Choose product document...
Veeam Backup & Replication 9.5 Update 4
Veeam Agent Management Guide

Using Certificate Signed by Internal CA

To establish a secure connection between the backup server and protected computers, Veeam Backup & Replication uses a TLS certificate. By default, Veeam Backup & Replication uses a self-signed certificate. Veeam Backup & Replication generates this certificate when you install the product on the Veeam backup server.

In you want to use a certificate signed by your internal Certification Authority (CA), make sure that the following requirements are met:

  • Veeam Agents and Veeam Backup & Replication must trust the CA. That is, the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the Veeam backup server and Veeam Agent computers.
  • Certificate Revocation List (CRL) must be accessible from the Veeam backup server and Veeam Agent computers.
  • [For Linux-based Veeam Agent computers] OpenSSL version 1.0 or later must be installed on the Veeam Agent computer.

A certificate signed by a CA must meet the following requirements:

  1. The certificate subject must be equal to the fully qualified domain name of the Veeam backup server. For example: vbrserver.domain.local.

Using Certificate Signed by Internal CA 

  1. The following key usage extensions must be enabled in the certificate to sign and deploy child certificates for Veeam Agent computers:
  • Digital Signature
  • Certificate Signing
  • Off-line CRL Signing
  • CRL Signing (86)

If you use Windows Server Certification Authority, it is recommended that you issue a Veeam Backup & Replication certificate based on the built-in "Subordinate Certification Authority" template or templates similar to it.

Using Certificate Signed by Internal CA 

  1. The key type in the certificate must be set to Exchange.

If you create a certificate request using the Windows MMC console, to specify the key type, do the following:

  1. At the Request Certificates step of the Certificate Enrollment wizard, select a check box next to the necessary certificate template and click Properties.

Using Certificate Signed by Internal CA 

  1. In the Certificate Properties window, click the Private Key tab.
  2. In the Key Type section, select Exchange.

Using Certificate Signed by Internal CA 

To start using the signed certificate, you must select it from the certificates store on the Veeam backup server. To learn more, see Importing Certificates from Certificate Store.

After you specify the signed certificate in Veeam Backup & Replication, the during the next backup job session Veeam Agents will receive child certificates from the Veeam backup server.

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Explorers User Guide

Backup and Restore of SQL Server Databases

Veeam Plug-ins for Enterprise Applications

PowerShell Reference

Veeam Explorers PowerShell Reference

RESTful API Reference

Required Permissions

Veeam Availability for Nutanix AHV

Veeam Backup for Microsoft Office 365 Documentation

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation