Appendix B. Replacing Security Certificate

When you install Veeam Backup for Salesforce, it automatically generates a default self-signed certificate. You can replace this default certificate with your own self-signed certificate or with a certificate obtained from a Certificate Authority (CA).

The /etc/nginx/certs default SSL configuration file contains paths to the following certificate files:

  • ssl_certificate "/opt/vbsf/nginx/certificate/vbsf.crt" — a file that contains the self-signed certificate.
  • ssl_certificate_key "/opt/vbsf/nginx/certificate/vbsf.key" — a file that contains a private key used to generate the certificate.
  • ssl_password_file "/opt/vbsf/nginx/certificate/passout" — a file that contains a password to decrypt the private key. This file is not required if the private key is not encrypted.

Installing SSL Certificate on Nginx Server

To replace the default certificate, do the following:

  1. Log in to the machine where Veeam Backup for Salesforce is installed.
  2. Upload new SSL certificate files to the /opt/vbsf/nginx/certificate/ folder.
  3. Set the vbsf user as the owner of the new files and add these files to the vbsf group. To do that, run the command:

sudo chown vbsf:vbsf /opt/vbsf/nginx/certificate/*

  1. Update the configuration parameters in the /etc/nginx/certs configuration file specifying the paths to the new certificate files:

ssl_certificate "<path_to_the_new_file>";

ssl_certificate_key "<path_to_the_new_file>";

ssl_password_file "<path_to_the_new_file>";

If the private key is not encrypted, remove the password line from the /opt/vbsf/nginx/certificate/passout file.

  1. Restart the nginx service. To do that, run the command:

sudo systemctl restart nginx

To learn how to create and configure your own certificate, see documentation of the relevant SSL providers (for example, Digicert documentation).