Challenge
To allow communications between Veeam Agents and VBR, TLS certificates are used. By default, Veeam Backup & Replication uses a self-signed certificate.Solution
In order to use a certificate signed by Certification Authority (CA), the following requirements should be met:- Veeam Agents must trust the Certification Authority and the VBR signed certificate (they must be added to the Trusted Root Certification Authority store on the clients)
- Certificate revocation List (CRL) should be accessible from Veeam Agents and VBR server
A certificate signed by Certification Authority should have the following key usage to sign and deploy child certificates on Veeam Agents:
- Digital Signature
- Certificate Signing
- Off-line CRL Signing
- CRL Signing (86)
E.g., a subordinate CA Certificate template in Windows has the required key usages:
After applying the signed certificate on the VBR server according to - https://helpcenter.veeam.com/docs/backup/agents/agents_import_ssl.html?ver=95 , on the next job run Veeam Agents will receive child certificates. The resulting certification path will look like this:
![User-added image]()