Using Certificate Signed by Internal CA

If you want to use a certificate signed by your own Certification Authority (CA), consider the following:

  • Make sure that Veeam ONE Server trusts the CA. That means that the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the machine hosting Veeam ONE Server. Ensure the Certificate Revocation List (CRL) is accessible from Veeam ONE Server.
  • If you use Windows Server Certification Authority, issue a Veeam ONE certificate based on the built-in Subordinate Certification Authority template or a similar template. You can manage templates with the Certificate Templates MMC snap-in.

Veeam ONE Website Certificate Requirements

  • The certificate subject must be equal to the fully qualified domain name of the Veeam ONE Server. For example: oneserver.domain.local.
  • The Subject Alternative Name field must contain the FQDN of the Veeam ONE Server. For example: DNS:oneserver.domain.local.
  • The minimum key size must be 2048 bits.
  • The key usage must be Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment.
  • The enhanced key usage must be Server Authentication (1.3.6.1.5.5.7.3.1).

Veeam ONE Web API Certificate Requirements

  • The certificate subject must be equal to the fully qualified domain name of the Veeam ONE Server. For example: oneserver.domain.local.
  • The Subject Alternative Name field must contain the FQDN of the Veeam ONE Server. For example: DNS:oneserver.domain.local.
  • The minimum key size must be 2048 bits.
  • The key usage must be Digital Signature, Non-Repudiation.
  • The enhanced key usage must be Server Authentication (1.3.6.1.5.5.7.3.1).

Page updated 3/4/2025

Page content applies to build 12.3.0.4670