TLS Certificates

In this article

    When you configure the Veeam Backup & Replication infrastructure, you can specify what TLS certificate must be used to establish a secure connection from backup infrastructure components to the backup server. Veeam Backup & Replication offers the following options for TLS certificates:

    • You can choose to keep the default self-signed TLS certificate generated by Veeam Backup & Replication at the process of upgrading to a new version of Veeam Backup & Replication.
    • You can use Veeam Backup & Replication to generate a new self-signed TLS certificate. To learn more, see Generating Self-Signed Certificates.
    • You can select an existing TLS certificate from the certificates store. To learn more, see Importing Certificates from Certificate Store.
    • You can import a TLS certificate from a file in the PFX format. To learn more, see Importing Certificates from PFX Files.


    If you plan to use a certificate issued by your own CA, make sure that the certificate meets the following requirements:

    1. The following Key Usage extensions are enabled in the certificate: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing.
    2. The Key Type in the certificate is set to Exchange.



    If you use Continuous Data Protection (CDP) and update the TLS certificate used on the backup server, you must also update info about the certificate on the backup infrastructure components used for CDP:

    1. For VMware clusters, update I/O filter as described in Upgrading and Uninstalling I/O Filter.
    2. For VMware CDP proxies, pass through the Edit VMware CDP Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish.