Using Certificate Signed by Internal or Public CA

If you want to use a certificate signed by a public or internal Certification Authority (CA), consider the following:

  • Make sure that Veeam Backup & Replication server trusts the CA. That means that the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the Veeam Backup & Replication server. Also, Certificate Revocation List (CRL) must be accessible from the Veeam Backup & Replication server.
  • If you use Windows Server Certification Authority, issue a Veeam Backup & Replication certificate based on the built-in Subordinate Certification Authority template or templates similar to it. You can manage templates with the Certificate Templates MMC snap-in.

 

Important

The following certificates are not supported:

  • Elliptic Curve Signature (ECC) certificates
  • Cryptography API: Next Generation (CNG) certificates

A certificate signed by a CA must meet the following requirements:

  • The certificate subject is equal to the fully qualified domain name of the Veeam Backup & Replication server. For example: vbrserver.domain.local.

Using Certificate Signed by Internal or Public CA 

  • The Subject Alternative Name field contains both the FQDN and the NetBIOS name. You can add multiple DNS entries in the following format: DNS:vbrserver.domain.local,DNS:vbrserver.
  • The minimum key size is 2048 bits.
  • The following key usage extensions are enabled in the certificate:
    • Digital Signature
    • Certificate Signing
    • Off-line CRL Signing
    • CRL Signing (86)

Using Certificate Signed by Internal or Public CA 

  • The Path Length Constraint parameter in the Basic Constraints extension is set to 0.

Using Certificate Signed by Internal or Public CA 

If you use Windows Server Certification Authority, open the Certificate Templates MMC snap-in and select the certificate template based on the built-in Subordinate Certification Authority template or templates similar to it. On the Extensions tab, enable the Do not allow subject to issue certificates to other CAs option.

Using Certificate Signed by Internal or Public CA 

  • The key type in the certificate is set to Exchange.

To start using the signed certificate, you must select it from the certificates store on the Veeam Backup & Replication server. To learn more, see Importing Certificate from Certificate Store.

Page updated 10/18/2024

Page content applies to build 12.2.0.334