Certificate Validation Errors

This section lists errors of security certificate validation on the Veeam Service Provider Console management agent:

A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. Renew the expired certificate.

The certificate is revoked by the Certification Authority. This could happen because the private key was compromised.

The signature of the certificate cannot be verified.

The certificate is not valid for the requested usage. Cannot authenticate the server with the current certificate.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. This could happen because your service provider is using a self-signed certificate.

The revocation function was unable to check revocation for the certificate. Check if you have access to a certificate revocation list distribution point. For details, see this Digicert article.

One of the certificates in the chain was issued by a certification authority that the original certificate had certified.

One of the certificates has an extension that is not valid.

The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.

The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.

The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.

The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported:

The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.

The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.

The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.

A certificate chain could not be built to a trusted root authority.

A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

The signature of the certificate cannot be verified.

The certificate is not valid for the requested usage.

A signature algorithm or public key length does not meet the system's minimum required strength.

The revocation function was unable to check revocation because the revocation server was offline. Check if you have access to a certificate revocation list distribution point. For details, see this Digicert article.

The certificate has invalid policy.

The certificate was explicitly marked as untrusted by the user.

The certificate contains an unknown extension that is marked Critical.

The certificate is damaged or inaccessible.

FQDN in the certificate does not match server FQDN. Check that you specified the server address correctly.

An error occurred while checking certificate chain.

Specifies that the CA (certificate authority) certificate and the issued certificate have validity periods that are not nested. For example, the CA cert can be valid from January 1 to December 1 and the issued certificate from January 2 to December 2, which means the validity periods are not nested.