Backup Server Certificate

When you configure the Veeam Backup & Replication infrastructure, you can specify what TLS certificate must be used to establish a secure connection from backup infrastructure components to the backup server. Veeam Backup & Replication offers the following options for TLS certificates:

Keep the default self-signed TLS certificate generated by Veeam Backup & Replication at the process of upgrading to a new version of Veeam Backup & Replication.
Use Veeam Backup & Replication to generate a new self-signed TLS certificate. To learn more, see Generating Self-Signed Certificate.
Select an existing TLS certificate from the certificate store. To learn more, see Importing Certificate from Certificate Store.
Import a TLS certificate from a file in the PFX format. To learn more, see Importing Certificate from PFX Files.

If you plan to use a certificate issued by your own Certificate Authority (CA), make sure that the certificate meets the requirements. For more information, see Using Certificate Signed by Internal CA.

Important

If you update the TLS certificate used on the backup server, you must also update info about the certificate on the following backup infrastructure components:

For AHV Backup proxies, pass through the Edit Nutanix Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish. Also, restart the Veeam AHV Service.
For RHV Backup proxies, pass through the Edit Red Hat Virtualization Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish.
For VMware clusters, pass through the I/O filter Management wizard as described in section Installing I/O Filter.
For VMware CDP proxies, pass through the Edit VMware CDP Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish.

If you remove the old certificate from the Microsoft Windows certificate store, you must also reconfigure Veeam Agents added to the Computers with pre-installed agents protection group. To do this, repeat the configuration step of the Veeam Agent deployment scenario as described in the subsections of the Deploying Veeam Agents Using Generated Setup Files section. Other protection groups will be automatically reconfigured during the next rescan operation.

If you do not remove the old certificate from the Microsoft Windows certificate store, all protection groups will be automatically reconfigured the next time Veeam Agents connect to the backup server.