TLS Certificate

Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server TLS certificate. The REST API uses the certificate of Veeam Backup & Replication.

When you are running the Veeam Backup & Replication setup wizard, you can specify a port that must be used for connection with the REST API service. The default port is 9419. During the Veeam Backup & Replication installation, a self-signed TLS certificate is created and bound to the REST API and the specified port.

If the existing TLS certificate expires, or if you want to use another certificate (for example, the one obtained from a Certificate Authority), you can add a new certificate. For details, see Updating TLS Certificate.

Click the image to zoom out

To view the TLS certificate, use the following command in the command line:

netsh http show sslcert ipport=0.0.0.0:9419

If the existing TLS certificate expires, update it with the netsh command.

Updating TLS Certificate

If the existing TLS certificate expires, you need to remove it, add a new certificate with the Veeam Backup & Replication console or Veeam PowerShell, and bind the new certificate to the 9419 port.

To update the TLS certificate:

  1. Remove the current TLS certificate with the following command:

netsh http delete sslcert ipport=0.0.0.0:9419

  1. Add a new certificate with the Veeam Backup & Replication console or Veeam PowerShell. For details, see the Backup Server Certificate section of the Veeam Backup & Replication User Guide and the Add-VBRBackupServerCertificate section of the Veeam PowerShell Reference.
  2. Bind the new TLS certificate to the 9419 port and the REST API application ID. Use the following command:

netsh http add sslcert ipport=0.0.0.0:9419 certhash=<hash> appid="{284175c4-aa3e-4c6f-a2dd-5a4c80552eb9}" certstorename=<storeName>

where:

  • <hash> is an SHA hash of the new certificate. You can view the certificate hash with the Certificate Manager tool. To details, see Microsoft Docs.
  • <storeName> is a certificate store name. The parameter is optional, defaults to MY.

For example:

netsh http add sslcert ipport=0.0.0.0:9419 certhash=df43bb1342654f1010b2ab31d682366df2e5697f appid="{284175c4-aa3e-4c6f-a2dd-5a4c80552eb9}" certstorename=WebHosting

For more information on the add sslcert command, see Microsoft Docs.

 

Page updated 2/15/2024

Page content applies to build 12.3.0.310