Veeam Backup & Replication 13
Veeam Backup Enterprise Manager Guide
ASK LLM
Ask ChatGPT
Ask Claude
Ask Gemini
Ask Grok
Ask Perplexity
Related documents
Search

Using Certificate Signed by Internal CA

You can use a certificate signed by an internal Certificate Authority (CA) as the server or web UI certificate to secure Enterprise Manager connections with other components and web browsers.

Before you install a certificate signed by an internal CA, add the certificate to the certificate store on the Enterprise Manager machine to ensure that Enterprise Manager trusts the CA.

Certificate Requirements

A certificate signed by a CA must meet the following requirements.

Certificate Requirements

Requirement

Description

Subject

Set to the fully qualified domain name (FQDN) of the Enterprise Manager server.

Subject Alternative Name (SAN)

Include both the FQDN and the NetBIOS name. You can specify multiple DNS entries in the following format:

DNS:emserver.domain.local, DNS:emserver

Key Size

Minimum 2048 bits.

Key Usage

For the server certificate, enable the following extensions:

  • Digital Signature
  • Certificate Signing
  • Off-line CRL Signing
  • CRL Signing (86)

For the web UI certificate, enable the Data Signature extension.

Basic Constraints

Set Path Length Constraint to 0.

Key Type

Set to Exchange.

Important

The following certificates are not supported:

  • Elliptic Curve Signature (ECC) certificates
  • Cryptography API: Next Generation (CNG) certificates

You cannot use certificates issued by public CAs as the server certificate, but you can use them as the web UI certificate.

CRL Requirements

Ensure that Certificate Revocation List (CRL) published by a CA and containing revoked certificates is accessible from the Enterprise Manager server to verify certificate status. The CRL must meet the following requirements:

  • CRL is accessible from the Enterprise Manager server to verify certificate status.
  • CRL must have an HTTP endpoint.
  • CRL must be signed with a strong cryptographic algorithm such as RSA-SHA256.

Configuring Certificate Templates in Windows Server CA

If you use Windows Server Certification Authority for managing certificates, perform the following steps to configure a suitable certificate template:

  1. Open the Certificate Templates Microsoft Management Console (MMC) snap‑in.
  2. Select a template based on the built‑in Subordinate Certification Authority template or a similar template.
  3. On the Extensions tab, enable the Do not allow subject to issue certificates to other CAs option.
  4. Issue an Enterprise Manager certificate based on this template.

Adding Certificate to Certificate Store

If you want to use a certificate signed by an internal CA, ensure that Enterprise Manager trusts the CA. After you add the certificate to the certificate store, you can install the certificate. If you attempt to install a certificate without adding it to the store first, the installation will fail. For details on how to install an Enterprise Manager certificate, see Installing Certificates.

  • For Microsoft Windows-based Enterprise Manager, add the certificate to the Trusted Root Certification Authority store.
  • For Linux-based Enterprise Manager, copy the CA certificate to the /etc/pki/ca-trust/source/anchors/ directory in the PEM format, and then run the following command as the root user.

update-ca-trust extract

Page updated 4/24/2026

Page content applies to build 13.0.1.2067

View all results across Veeam Help Center
Back to document search