SSL Encryption

In this article

    Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server SSL certificate.

    When you are running the Veeam Backup & Replication setup wizard, you can specify a port for connection with the REST API service. The default port is 9419. During the installation, a self-signed SSL certificate is created and bound to the REST API and specified port. You can add another certificate obtained from a Certificate Authority. For details on adding a new certificate, see Updating SSL Certificate.

    Click the image to zoom out

    To view the SSL certificate, use the following command in the command line:

    netsh http show sslcert ipport=0.0.0.0:9419

    If the existing SSL certificate expires, update the SSL certificate with the netsh command.

    Updating SSL Certificate

    If the existing SSL certificate expires, you need to remove it and bind a new certificate to the 9419 port.

    To update the SSL certificate:

    1. On the backup server, import the SSL certificate obtained from a Certificate Authority with the Certificates snap-in for the computer account. For details, see this and this articles of Microsoft Docs.

    If you want to use a self-signed SSL certificate for the REST API, create a new self-signed certificate on the backup server. You can do it, for example, with IIS Manager. For details, see Microsoft Docs.

    1. Remove the expired SSL certificate with the following command:

    netsh http delete sslcert ipport=0.0.0.0:9419

    1. Bind the new SSL certificate to the 9419 port and the REST API application ID. Use the following command:

    netsh http add sslcert ipport=0.0.0.0:9419 certhash=<string> appid="{284175c4-aa3e-4c6f-a2dd-5a4c80552eb9}"

    where <string> is an SHA hash of the new SSL certificate. You can view the certificate hash in the list of certificates in IIS Manager. For details, see Microsoft Docs.

    For example:

    netsh http add sslcert ipport=0.0.0.0:9419 certhash=df43bb1342654f1010b2ab31d682366df2e5697f appid="{284175c4-aa3e-4c6f-a2dd-5a4c80552eb9}"