Installing Security Certificates

In this article

    Veeam Service Provider Console requires security certificates installed on the following components:

    • Veeam Service Provider Console server. This certificate is used to establish secure connection with Veeam Service Provider Console management agents installed on managed Veeam Backup & Replication servers and computers running Veeam backup agents.

    By default, this certificate is installed in the Veeam Service Provider Console Setup wizard. You can change Veeam Service Provider Console server certificate in Veeam Service Provider Console. For details, see Changing Veeam Service Provider Console Server Certificate.

    • Veeam Service Provider Console Web UI. This certificate is used to establish secure connection with client applications, such as web browsers or REST API clients.

    By default, this certificate is installed in the Veeam Service Provider Console Setup wizard. You can change Veeam Service Provider Console Web UI certificate in Veeam Service Provider Console. For details, see Changing Veeam Service Provider Console Web UI Certificate.

    • Veeam Cloud Connect server. This certificate is used to to establish secure connection with managed Veeam Backup & Replication servers and Veeam Backup Agents.

    This certificate is installed in the Veeam Cloud Connect Manage Certificate wizard. For details on installing and managing Veeam Cloud Connect certificate, see section Managing TLS Certificates of the Veeam Cloud Connect Guide.

    Required Privileges

    To perform this task, a user must have the following role assigned: Portal Administrator.

    Before You Begin

    Consider the following security recommendations:

    • Make sure that an account used to install security certificates has access to private keys of the certificates in the Local Computer\Personal certificate store.
    • Use third-party validated certificates.

    If you generate or choose a self-signed certificate, you will need to manually configure a trusted connection between Veeam Service Provider Console and management agents. For details, see Deploying Management Agents.

    • Update certificates regularly.

    For details on certificates update, contact your Certificate Authority.

    • Use different certificates for Veeam Cloud Connect and Veeam Service Provider Console server in distributed deployments.

    Using the same certificate on multiple machines may compromise the private key of the certificate.

    • For Veeam Service Provider Console server, use a certificate that covers Veeam Service Provider Console server and all cloud gateways.

    You can use a certificate with multiple FQDNs listed in the Subject or Subject Alternative Name field (SAN) or a wildcard certificate. If you use a wildcard certificate (like *.domain.com), cloud gateways having DNS names that do not include .domain.com will not be trusted, and management agents will not use these cloud gateways for communication with Veeam Service Provider Console server.

    Certificate Management

    Changing Veeam Service Provider Console Server Certificate

    To install a new certificate for the Veeam Service Provider Console Server component:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. Navigate to the Security Certificates tab.
    4. At the top of the list, click Install > Server.
    5. In the Manage Certificate window, select one of the following options:
    • Select certificate from the Certificate Store

    With this option selected, you can choose a certificate from the Certificate Store of Veeam Service Provider Console server. The certificate must be installed in the Local Computer\Personal certificate store.

    At the Pick Certificate step, select a certificate that you want to install and click Next.

    Select Certificate from Certificate Store

    • Generate new certificate (not recommended)

    With this option selected, you can generate a new self-signed certificate. At the Generate Certificate step, specify friendly name for a certificate that you want to install and click Next.

    Generate New Self-Signed Certificate

    1. Review the certificate settings and click Finish.
    2. Refresh the Veeam Service Provider Console portal page.

    Changing Veeam Service Provider Console Web UI Certificate

    To install a new certificate for the Veeam Service Provider Console Web UI component:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. Navigate to the Security Certificates tab.
    4. At the top of the list, click Install > Web UI.

    The Manage Certificate window will open.

    1. At the Pick Certificate step, select a certificate that you want to install and click Next.

    Select SSL Certificate from Certificate Store

    1. At the Credentials step, specify credentials of a local administrator of a machine on which Veeam Service Provider Console Web UI runs.
    2. At the Summary step, review the certificate settings and click Finish.
    3. Refresh the Veeam Service Provider Console portal page.

    Note:

    If you use a self-signed certificate, import it to the client machines (the machines from which you plan to access Veeam Service Provider Console). For details on importing certificates, see Microsoft Docs.