The KMS server certificate must meet the following requirements:
- If you use a server certificate in the PEM format, it must contain the -----BEGIN CERTIFICATE----- header at the beginning of the file and the -----END CERTIFICATE----- footer at the end of the file.
- The Subject extension must be equal to the fully qualified domain name (FQDN) of the KMS server. For example: kms.domain.local.
- The server certificate must have valid CRL distribution points specified in the CRL Distribution Points extension.
- If the Veeam Backup & Replication server does not trust the Certificate Authority (CA) of the server certificate, it should be added to the Trusted Root Certification Authority store.
The client certificate issued by the KMS administrator for Veeam Backup & Replication must be exportable.