Using a CA-signed server certificate in the Veeam Agent management infrastructure

KB ID: 2651
Product: Veeam Backup & Replication;Veeam Agent for Microsoft Windows
Version: VBR 9.5 U3, VAW 2.1
Published:
Last Modified: 2018-05-16

Challenge

To allow communications between Veeam Agents and VBR, TLS certificates are used. By default, Veeam Backup & Replication uses a self-signed certificate.

User-added image

Solution

In order to use a certificate signed by Certification Authority (CA), the following requirements should be met:

  • Veeam Agents must trust the Certification Authority and the VBR signed certificate (they must be added to the Trusted Root Certification Authority store on the clients)
  • Certificate revocation List (CRL) should be accessible from Veeam Agents and VBR server

A certificate signed by Certification Authority should have the following key usage to sign and deploy child certificates on Veeam Agents:
  • Digital Signature
  • Certificate Signing
  • Off-line CRL Signing
  • CRL Signing (86)
User-added image
E.g., a subordinate CA Certificate template in Windows has the required key usages:

User-added image
 
After applying the signed certificate on the VBR server according to - https://helpcenter.veeam.com/docs/backup/agents/agents_import_ssl.html?ver=95 , on the next job run Veeam Agents will receive child certificates. The resulting certification path will look like this:

User-added image
 

More Information

Note: Veeam Agent for Microsoft Windows version 2.1 has a known issue with CRL check if a signed certificate is installed on the VBR server. Please contact technical support in order to obtain a fix.


 
How helpful is this article: 
4.8 out of 5 based on 2 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Request new content

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system