Using Certificate Signed by Internal CA
If you want to use a certificate signed by your own Certification Authority (CA), consider the following:
- Make sure that Veeam Backup & Replication server trusts the CA. That means that the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the Veeam Backup & Replication server. Also, Certificate Revocation List (CRL) must be accessible from the Veeam Backup & Replication server.
- If you use Windows Server Certification Authority, issue a Veeam Backup & Replication certificate based on the built-in Subordinate Certification Authority template or templates similar to it. You can manage templates with the Certificate Templates MMC snap-in.
The following certificates are not supported:
A certificate signed by a CA must meet the following requirements:
- The certificate subject is equal to the fully qualified domain name of the Veeam Backup & Replication server. For example: vbrserver.domain.local.
- The Subject Alternative Name field contains both the FQDN and the NetBIOS name. You can add multiple DNS entries in the following format: DNS:vbrserver.domain.local,DNS:vbrserver.
- The minimum key size is 2048 bits.
- The following key usage extensions are enabled in the certificate:
- Digital Signature
- Certificate Signing
- Off-line CRL Signing
- CRL Signing (86)
- The Path Length Constraint parameter in the Basic Constraints extension is set to 0.
If you use Windows Server Certification Authority, open the Certificate Templates MMC snap-in and select the certificate template based on the built-in Subordinate Certification Authority template or templates similar to it. On the Extensions tab, enable the Do not allow subject to issue certificates to other CAs option.
- The key type in the certificate is set to Exchange.
To start using the signed certificate, you must select it from the certificates store on the Veeam Backup & Replication server. To learn more, see Importing Certificate from Certificate Store.