To allow communications between Veeam Agents and VBR, TLS certificates are used. By default, Veeam Backup & Replication uses a self-signed certificate.
In order to use a certificate signed by Certification Authority (CA), the following requirements should be met:
- Veeam Agents must trust the Certification Authority and the VBR signed certificate (they must be added to the Trusted Root Certification Authority store on the clients)
- Certificate revocation List (CRL) should be accessible from Veeam Agents and VBR server
A certificate signed by Certification Authority should have the following key usage to sign and deploy child certificates on Veeam Agents:
- Digital Signature
- Certificate Signing
- Off-line CRL Signing
- CRL Signing (86)
For example a subordinate CA Certificate template in Windows has the required key usages:
After applying the signed certificate on the VBR server according to the User Guide, on the next job run Veeam Agents will receive child certificates. The resulting certification path will look like this:
Note: Veeam Agent for Microsoft Windows version 2.1 has a known issue with CRL check if a signed certificate is installed on the VBR server. Please contact technical support in order to obtain a fix.
Please be aware that starting from September 2018 downloading updates will require an active contract for the corresponding product.