Replacing Security Certificates

To establish secure data communications between the backup appliance and web browsers running on user workstations, Veeam Backup for AWS uses Transport Layer Security (TLS) certificates.


When updating to Veeam Backup for AWS version 5.0, note that only the TLS v1.3 certificates are now supported. Veeam Backup for AWS will automatically recreate all previously generated self-signed certificates.

When you install Veeam Backup for AWS, it automatically generates a default self-signed certificate. You can replace this default certificate with your own self-signed certificate or with a certificate obtained from a Certificate Authority (CA). To replace the currently used TLS certificate, do the following:

  1. Switch to the Configuration page.
  1. Navigate to General > Certificates.
  1. Click Replace Web Certificate.

Complete the New CertificateWizard.

  1. At the Certificate Source step of the wizard, do the following:
  • Select the Recreate a self-sign certificate option if you want to replace the existing certificate with a new self-signed certificate automatically generated by Veeam Backup for AWS.
  • Select the Upload certificate option if you want to upload a certificate that you obtained from a CA or generated using a 3rd party tool.
  1. [This step applies only if you have selected the Upload certificate(s) option] At the Upload certificate(s) step of the wizard, browse to the certificate that you want to install, and provide a password for the certificate file if required.


Only .PFX and .P12 certificate files are supported.

  1. At the Summary step of the wizard, review summary information and click Finish. To allow Veeam Backup for AWS to discover the newly installed certificate, restart the backup appliance.


If you have recreated the self-signed certificate, the browser from which you will try to access Veeam Backup for AWS next time will display a warning notifying that the connection is untrusted (although it is secured with SSL). To eliminate the warning, import the self-signed certificate to user workstations.

Replacing Security Certificates