SSL Encryption

In this article

    Veeam Backup Enterprise Manager REST API is a self-hosted WCF service that can be run over the HTTP and HTTPS protocols:

    • For HTTPS protocol, port 9398 is used
    • For HTTP protocol, port 9399 is used (starting from Veeam Backup Enterprise Manager 10, the HTTP protocol is deprecated as insecure)

    When Veeam Backup Enterprise Manager REST API is running over HTTPS, the communication between the client and the server is secured with the SSL protocol. For SSL connections, Veeam Backup Enterprise Manager REST API uses the same self-signed SSL certificate that is created for Veeam Backup Enterprise Manager during its installation.

    By default, when Veeam Backup Enterprise Manager is installed, the SSL certificate is bound to the HTTPS port 9398.

    Click the image to zoom out

    To view the SSL certificate used for Veeam Backup Enterprise Manager REST API, enter the following command in the command line:

    netsh http show sslcert ipport=0.0.0.0:9398

    SSL Encryption 

    If the existing SSL certificate expires, you need to update the SSL certificate with the netsh command. To learn more, see Updating SSL Certificate.

    Updating SSL Certificate

    If the existing SSL certificate expires, you need to bind a new certificate to the HTTPS port 9398.

    To update the SSL certificate:

    1. On the server where Veeam Backup Enterprise Manager is installed, import the SSL certificate obtained from a Certification Authority (CA) with the Certificates snap-in for the computer account. For more information, see this and this articles of Microsoft Docs.

    If you want to use a self-signed SSL certificate for Veeam Backup Enterprise Manager REST API, on the server where Veeam Backup Enterprise Manager is installed, create a new self-signed certificate with IIS Manager. For more information, see Microsoft Docs.

    1. Remove the expired SSL certificate with the following command:

    netsh http delete sslcert ipport=0.0.0.0:9398

    1. Bind the new SSL certificate to the 9398 port and the REST API application ID. Use the following command:

    netsh http add sslcert ipport=0.0.0.0:9398 certhash=string appid={73ec9393-95b6-4498-a845-9a0cb95306be}

    where:

    • string — SHA hash of the new SSL certificate. You can view the certificate hash in the list of certificates in IIS Manager. To learn more, see Microsoft Docs.

    For example:

    netsh http add sslcert ipport=0.0.0.0:9398 certhash=df43bb1342654f1010b2ab31d682366df2e5697f appid={73ec9393-95b6-4498-a845-9a0cb95306be}

     

    I want to report a typo

    There is a misspelling right here:

     

    I want to let the Veeam Documentation Team know about that.