Using a CA-signed server certificate in the Veeam Agent management infrastructure

KB ID: 2651
Product: Veeam Backup & Replication;Veeam Agent for Microsoft Windows
Version: VBR 9.5 U3 | VAW 2.1
Last Modified: 2018-07-16


To allow communications between Veeam Agents and VBR, TLS certificates are used. By default, Veeam Backup & Replication uses a self-signed certificate.

User-added image


In order to use a certificate signed by Certification Authority (CA), the following requirements should be met:

  • Veeam Agents must trust the Certification Authority and the VBR signed certificate (they must be added to the Trusted Root Certification Authority store on the clients)
  • Certificate revocation List (CRL) should be accessible from Veeam Agents and VBR server

A certificate signed by Certification Authority should have the following key usage to sign and deploy child certificates on Veeam Agents:

  • Digital Signature
  • Certificate Signing
  • Off-line CRL Signing
  • CRL Signing (86)

User-added image

For example a subordinate CA Certificate template in Windows has the required key usages:

User-added image

After applying the signed certificate on the VBR server according to the User Guide, on the next job run Veeam Agents will receive child certificates. The resulting certification path will look like this:

User-added image

More Information

Note: Veeam Agent for Microsoft Windows version 2.1 has a known issue with CRL check if a signed certificate is installed on the VBR server. Please contact technical support in order to obtain a fix.

Please be aware that starting from September 2018 downloading updates will require an active contract for the corresponding product.


Rate the quality of this KB article: 
4.8 out of 5 based on 2 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Request new content

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system