Using Certificate Signed by Internal CA

In this article

    If you want to use a certificate signed by your own Certification Authority (CA), make sure that the following requirements are met:

    • Veeam Backup & Replication server must trust the CA. That means that the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the Veeam Backup & Replication server.
    • Certificate Revocation List (CRL) must be accessible from the Veeam Backup & Replication server.
    • When issuing the certificate, make sure the Subject Alternative Name field contains both the FQDN and the NetBIOS name. You can add multiple DNS entries in the following format: DNS:vbrserver.domain.local,DNS:vbrserver.

    A certificate signed by a CA must meet the following requirements:

    • The certificate subject is equal to the fully qualified domain name of the Veeam Backup & Replication server. For example: vbrserver.domain.local.

    Using Certificate Signed by Internal CA 

    • The minimum key size is 2048 bits.
    • The following key usage extensions are enabled in the certificate:
      • Digital Signature
      • Certificate Signing
      • Off-line CRL Signing
      • CRL Signing (86)

    Using Certificate Signed by Internal CA 

    If you use Windows Server Certification Authority, issue a Veeam Backup & Replication certificate based on the built-in "Subordinate Certification Authority" template or templates similar to it.

    • The Path Length Constraint parameter in the Basic Constraints extension is set to 0. If you use Windows Server Certification Authority, to do this, enable the Do not allow subject to issue certificates to other CAs option in the certificate template.
    • The key type in the certificate is set to Exchange.

    To start using the signed certificate, you must select it from the certificates store on the Veeam Backup & Replication server. To learn more, see Importing Certificates from Certificate Store.