TLS Certificate

Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server TLS certificate. The REST API uses the certificate of Veeam Backup & Replication.

When you are running the Veeam Backup & Replication setup wizard, you can specify a port that must be used for connection with the REST API service. The default port is 9419. During the Veeam Backup & Replication installation, a self-signed TLS certificate is created and bound to the REST API and the specified port.

If the existing TLS certificate expires, or if you want to use another certificate (for example, the one obtained from a Certificate Authority), you can add a new certificate. For details, see Updating TLS Certificate.

To view the TLS certificate, use the following command in the command line:

If the existing TLS certificate expires, update it with the netsh command.

Updating TLS Certificate

If the existing TLS certificate expires, you need to remove it, add a new certificate with the Veeam Backup & Replication console or Veeam PowerShell, and bind the new certificate to the 9419 port.

To update the TLS certificate:

1. Remove the current TLS certificate with the following command:

2. Add a new certificate with the Veeam Backup & Replication console or Veeam PowerShell. For details, see the Backup Server Certificate section of the Veeam Backup & Replication User Guide and the Add-VBRBackupServerCertificate section of the Veeam PowerShell Reference.
3. Bind the new TLS certificate to the 9419 port and the REST API application ID. Use the following command:

where:

• <hash> is an SHA hash of the new certificate. You can view the certificate hash with the Certificate Manager tool. To details, see Microsoft Docs.
• <storeName> is a certificate store name. The parameter is optional, defaults to MY.

For example:

For more information on the add sslcert command, see Microsoft Docs.