Using Certificate Signed by Internal CA

In this article

    To establish a secure connection with the RHV backup proxy VM, the backup server uses a TLS certificate. By default, the backup server uses a self-signed certificate. The backup server generates this certificate when you install Veeam Backup & Replication on the machine.


    If you want to use a certificate signed by your internal Certification Authority (CA), make sure that the following requirements are met:

    • The backup server must trust the CA. That means that the Certification Authority certificate must be added to the Trusted Root Certification Authority store on the backup server.
    • Certificate Revocation List (CRL) must be accessible from the backup server.
    • When issuing the certificate, make sure the Subject Alternative Name field contains both the FQDN and the NetBIOS name. You can add multiple DNS entries in the following format: DNS:vbrserver.domain.local,DNS:vbrserver.

    A certificate signed by a CA must meet the following requirements:

    • The certificate subject must be equal to the fully qualified domain name of the backup server. For example: vbrserver.domain.local.

    Using Certificate Signed by Internal CA 

    • The minimum key size is 2048 bits.
    • The following key usage extensions must be enabled in the certificate to sign and deploy child certificates for the RHV backup proxy VM:
    • Digital Signature
    • Certificate Signing
    • Off-line CRL Signing
    • CRL Signing (86)

    If you use Windows Server Certification Authority, we recommend you to issue a backup server certificate based on the built-in "Subordinate Certification Authority" template or templates similar to it.

    Using Certificate Signed by Internal CA 

    • The key type in the certificate must be set to Exchange.

    If you create a certificate request using the Windows MMC console, to specify the key type, do the following:

    • At the Request Certificates step of the Certificate Enrollment wizard, select a check box next to the necessary certificate template and click Properties.

    Using Certificate Signed by Internal CA 

    • In the Certificate Properties window, click the Private Key tab.
    • In the Key Type section, select Exchange.

    Using Certificate Signed by Internal CA 

    To start using the signed certificate, you must select it from the certificates store on the backup server. To learn more, see Importing Certificates from Certificate Store.

    Reconnecting to RHV backup proxy

    After you specify the signed certificate on the backup server, the RHV backup proxy is not able to communicate with the backup server and backup jobs fail. To reconnect the backup server to the RHV backup proxy, do the following:

    1. In the Veeam Backup & Replication console, open the Backup Infrastructure view.
    2. In the inventory pane, select the Backup Proxies node.
    3. In the working area, select the RHV backup proxy and click Edit Proxy on the ribbon, or right-click the RHV backup proxy and select Properties.
    4. Complete the Edit Red Hat Virtualization Proxy wizard as described in section Connecting Existing RHV Backup Proxy.

    Using Certificate Signed by Internal CA