When you configure the Veeam Backup & Replication infrastructure, you can specify what TLS certificate must be used to establish a secure connection from backup infrastructure components to the backup server. Veeam Backup & Replication offers the following options for TLS certificates:
- Keep the default self-signed TLS certificate generated by Veeam Backup & Replication at the process of upgrading to a new version of Veeam Backup & Replication.
- Use Veeam Backup & Replication to generate a new self-signed TLS certificate. To learn more, see Generating Self-Signed Certificates.
- Select an existing TLS certificate from the certificates store. To learn more, see Importing Certificates from Certificate Store.
- Import a TLS certificate from a file in the PFX format. To learn more, see Importing Certificates from PFX Files.
If you plan to use a certificate issued by your own Certificate Authority (CA), make sure that the certificate meets the requirements. For more information, see Using Certificate Signed by Internal CA.
If you update the TLS certificate used on the backup server, you must also update info about the certificate on the following backup infrastructure components:
If you remove the old certificate from the Microsoft Windows certificate store, you must also reconfigure Veeam Agents added to the Computers with pre-installed agents protection group. To do this, repeat the configuration step of the Veeam Agent deployment scenario as described in the subsections of the Deploying Veeam Agents Using Generated Setup Files section. Other protection groups will be automatically reconfigured during the next rescan operation.
If you do not remove the old certificate from the Microsoft Windows certificate store, all protection groups will be automatically reconfigured the next time Veeam Agents connect to the backup server.