TLS Certificate

In this article

    Veeam Backup Enterprise Manager REST API is a self-hosted WCF service. You can connect to the REST API over the HTTP or HTTPS protocol. HTTPS connection between the client and server is secured with the TLS protocol. In this case, the client verifies the REST API identity with a server TLS certificate.

    When you are running the Veeam Backup Enterprise Manager setup wizard, you can specify a port for connection with the REST API service. The default HTTPS port is 9398. During the installation, a self-signed TLS certificate is created and bound to Enterprise Manager, the REST API and their ports.

    If the existing TLS certificate expires, or if you want to use another certificate, for example, the one obtained from a Certificate Authority, you can update the current certificate with the netsh command. For details, see Updating TLS Certificate.

    Note

    For HTTP connection, port 9399 is used. Starting from Veeam Backup Enterprise Manager 10, the HTTP protocol is deprecated as insecure.

    Click the image to zoom out

    Viewing TLS Certificate

    To view the TLS certificate used for the REST API, enter the following command in the command line:

    netsh http show sslcert ipport=0.0.0.0:9398

    Click the image to zoom out

    Updating TLS Certificate

    If the existing TLS certificate expires, you need to remove it and bind a new certificate to the HTTPS port 9398.

    To update the TLS certificate:

    1. On the server where Veeam Backup Enterprise Manager is installed, import the TLS certificate obtained from a Certificate Authority (CA) with the Certificates snap-in for the computer account. For details, see this and this articles of Microsoft Docs.

    If you want to use a self-signed certificate for Veeam Backup Enterprise Manager REST API, on the server where Veeam Backup Enterprise Manager is installed, create a new self-signed certificate with IIS Manager. For details, see Microsoft Docs.

    1. Remove the expired certificate with the following command:

    netsh http delete sslcert ipport=0.0.0.0:9398

    1. Bind the new TLS certificate to the 9398 port and the REST API application ID. Use the following command:

    netsh http add sslcert ipport=0.0.0.0:9398 certhash=<string> appid="{73ec9393-95b6-4498-a845-9a0cb95306be}"

    where <string> is an SHA hash of the new certificate. You can view the certificate hash in the list of certificates in IIS Manager. To learn more, see Microsoft Docs.

    For example:

    netsh http add sslcert ipport=0.0.0.0:9398 certhash=df43bb1342654f1010b2ab31d682366df2e5697f appid="{73ec9393-95b6-4498-a845-9a0cb95306be}"