TLS Certificate

In this article

    Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server TLS certificate. The REST API uses the certificate of Veeam Backup & Replication.

    When you are running the Veeam Backup & Replication setup wizard, you can specify a port that must be used for connection with the REST API service. The default port is 9419. During the Veeam Backup & Replication installation, a self-signed TLS certificate is created and bound to the REST API and the specified port.

    If the existing TLS certificate expires, or if you want to use another certificate (for example, the one obtained from a Certificate Authority), you can add a new certificate. For details, see Updating TLS Certificate.

    Click the image to zoom out

    To view the TLS certificate, use the following command in the command line:

    netsh http show sslcert ipport=0.0.0.0:9419

    If the existing TLS certificate expires, update it with the netsh command.

    Updating TLS Certificate

    If the existing TLS certificate expires, you need to remove it, add a new certificate with the Veeam Backup & Replication console or Veeam PowerShell, and bind the new certificate to the 9419 port.

    To update the TLS certificate:

    1. Remove the current TLS certificate with the following command:

    netsh http delete sslcert ipport=0.0.0.0:9419

    1. Add a new certificate with the Veeam Backup & Replication console or Veeam PowerShell. For details, see the TLS Certificates section of the Veeam Backup & Replication User Guide and the Add-VBRBackupServerCertificate section of the Veeam PowerShell Reference.
    2. Bind the new TLS certificate to the 9419 port and the REST API application ID. Use the following command:

    netsh http add sslcert ipport=0.0.0.0:9419 certhash=<string> appid="{284175c4-aa3e-4c6f-a2dd-5a4c80552eb9}"

    where <string> is an SHA hash of the new TLS certificate. You can view the certificate hash in the list of certificates in IIS Manager. For details, see Microsoft Docs.

    For example:

    netsh http add sslcert ipport=0.0.0.0:9419 certhash=df43bb1342654f1010b2ab31d682366df2e5697f appid="{284175c4-aa3e-4c6f-a2dd-5a4c80552eb9}"