Installing Security Certificates
Veeam Service Provider Console requires security certificates installed on the following components:
- Veeam Service Provider Console server. This certificate is used to establish a secure connection with Veeam Service Provider Console management agents installed on managed computers.
By default, this certificate is installed in the Veeam Service Provider Console Setup wizard. You can change Veeam Service Provider Console server certificate in Veeam Service Provider Console. For details, see Changing Veeam Service Provider Console Server Certificate.
- Veeam Service Provider Console Web UI. This certificate is used to establish a secure connection with client applications, such as web browsers or REST API clients.
By default, this certificate is installed in the Veeam Service Provider Console Setup wizard. You can change Veeam Service Provider Console Web UI certificate in Veeam Service Provider Console. For details, see Changing Veeam Service Provider Console Web UI Certificate.
- Veeam Cloud Connect server. This certificate is used to to establish a secure connection with managed Veeam Backup & Replication servers and Veeam Backup Agents.
This certificate is installed in the Veeam Cloud Connect Manage Certificate wizard. For details on installing and managing Veeam Cloud Connect certificate, see section Managing TLS Certificates of the Veeam Cloud Connect Guide.
Required Privileges
To perform this task, a user must have the following role assigned: Portal Administrator.
Before You Begin
Consider the following security recommendations:
- Make sure that an account used to install security certificates has access to private keys of the certificates in the Local Computer\Personal certificate store.
- Use third-party validated certificates.
If you generate or choose a self-signed certificate, you will need to manually configure a trusted connection between Veeam Service Provider Console and management agents. For details, see Deploying Management Agents Manually.
- Update certificates regularly.
For details on certificates update, contact your Certificate Authority.
- Use different certificates for Veeam Cloud Connect and Veeam Service Provider Console server in distributed deployments.
Using the same certificate on multiple machines may compromise the private key of the certificate.
- For Veeam Service Provider Console Web UI, you can use a certificate with multiple FQDNs listed in the Subject or Subject Alternative Name field (SAN).
It is recommended to specify in the SAN field all DNS names used to access Veeam Service Provider Console web portal, including DNS names used to access Reseller Portal and Client Portal. For details on Client Portal, see Guide for End Users. For details on Reseller Portal, see Guide for Resellers.
Alternatively, you can configure multiple port bindings with multiple certificates in your IIS Manager. For details, see Microsoft Docs.
- For Veeam Service Provider Console server, you must use a certificate that covers Veeam Service Provider Console server.
If you want the certificate to cover cloud gateways, you can use a certificate with multiple FQDNs listed in the Subject or Subject Alternative Name field (SAN) or a wildcard certificate. If you use a wildcard certificate (like *.domain.com), cloud gateways having DNS names that do not include .domain.com will not be trusted, and management agents will not use these cloud gateways for communication with Veeam Service Provider Console server.
Changing Veeam Service Provider Console Server Certificate
To install a new certificate for the Veeam Service Provider Console Server component:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Security.
- Navigate to the Security Certificates tab.
- At the top of the list, click Install > Server.
- In the Manage Certificate window, select one of the following options:
- Select certificate from the Certificate Store
With this option selected, you can choose a certificate from the Certificate Store of Veeam Service Provider Console server. The certificate must be installed in the Local Computer\Personal certificate store.
At the Pick Certificate step, select a certificate that you want to install and click Next.
- Generate new certificate (not recommended)
With this option selected, you can generate a new self-signed certificate. At the Generate Certificate step, specify a friendly name for a certificate that you want to install and click Next.
- Review the certificate settings and click Finish.
- Log on as Administrator to the machine where Veeam Service Provider Console Server component is installed.
- Restart Veeam Management Portal service.
- Refresh the Veeam Service Provider Console portal page.
Changing Veeam Service Provider Console Web UI Certificate
To install a new certificate for the Veeam Service Provider Console Web UI component:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Security.
- Navigate to the Security Certificates tab.
- At the top of the list, click Install > Web UI.
The Manage Certificate window will open.
- At the Pick Certificate step, select a certificate that you want to install and click Next.
- At the Credentials step, specify credentials of a local administrator of a machine on which Veeam Service Provider Console Web UI runs.
- At the Summary step, review the certificate settings and click Finish.
- Log on as Administrator to the machine where Veeam Service Provider Console Web UI component is installed.
- Open the Internet Information Services Manager.
- Expand the Sites list and select Veeam Service Provider Console.
- In the menu on the right, click Restart.
- Refresh the Veeam Service Provider Console portal page.
Note: |
If you use a self-signed certificate, import it to the client machines (the machines from which you plan to access Veeam Service Provider Console). For details on importing certificates, see Microsoft Docs. |