Using Certificate Signed by Internal CA
To establish a secure connection between the backup server and the AHV Backup Proxy VM, Veeam Backup & Replication uses a TLS certificate. By default, Veeam Backup & Replication uses a self-signed certificate. Veeam Backup & Replication generates this certificate when you install the product on the machine.
In you want to use a certificate signed by your internal Certification Authority (CA), make sure that the following requirements are met:
- Veeam Backup & Replication server must trust the CA. That means that the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the Veeam Backup & Replication server.
- Certificate Revocation List (CRL) must be accessible from the Veeam Backup & Replication server.
A certificate signed by a CA must meet the following requirements:
- The certificate subject must be equal to the fully qualified domain name of the Veeam Backup & Replication server. For example: vbrserver.domain.local.
- The following key usage extensions must be enabled in the certificate to sign and deploy child certificates for the AHV Backup Proxy VM:
- Digital Signature
- Certificate Signing
- Off-line CRL Signing
- CRL Signing (86)
If you use Windows Server Certification Authority, it is recommended that you issue a Veeam Backup & Replication certificate based on the built-in "Subordinate Certification Authority" template or templates similar to it.
- The key type in the certificate must be set to Exchange.
If you create a certificate request using the Windows MMC console, to specify the key type, do the following:
- At the Request Certificates step of the Certificate Enrollment wizard, select a check box next to the necessary certificate template and click Properties.
- In the Certificate Properties window, click the Private Key tab.
- In the Key Type section, select Exchange.
To start using the signed certificate, you must select it from the certificates store on the Veeam Backup & Replication server. To learn more, see Importing Certificates from Certificate Store.
Reconnecting to AHV Backup Proxy
After you specify the signed certificate in Veeam Backup & Replication, AHV Backup Proxy is not able to communicate with the Veeam Backup & Replication server and backup jobs fail. To reconnect the Veeam Backup & Replication server to AHV Backup Proxy, do the following:
- In the Veeam Backup & Replication console, open the Backup Infrastructure pane.
- In the inventory pane, select the Backup Proxies node.
- In the working area, select the AHV backup proxy and click Edit Proxy on the ribbon or right-click the AHV backup proxy and select Properties.
- Edit AHV backup proxy settings as required. You will be requested to go through the same steps as you have followed when adding an AHV backup proxy.