Challenge
To allow communications between Veeam Agents and VBR, TLS certificates are used. By default, Veeam Backup & Replication uses a self-signed certificate.
Image may be NSFW.
Clik here to view.
Solution
In order to use a certificate signed by Certification Authority (CA), the following requirements should be met:
- Veeam Agents must trust the Certification Authority and the VBR signed certificate (they must be added to the Trusted Root Certification Authority store on the clients)
- Certificate revocation List (CRL) should be accessible from Veeam Agents and VBR server
A certificate signed by Certification Authority should have the following key usage to sign and deploy child certificates on Veeam Agents:
- Digital Signature
- Certificate Signing
- Off-line CRL Signing
- CRL Signing (86)
Image may be NSFW.
Clik here to view.
For example a subordinate CA Certificate template in Windows has the required key usages:
Image may be NSFW.
Clik here to view.
After applying the signed certificate on the VBR server according to the User Guide, on the next job run Veeam Agents will receive child certificates. The resulting certification path will look like this:
Image may be NSFW.
Clik here to view.
More Information
Note: Veeam Agent for Microsoft Windows version 2.1 has a known issue with CRL check if a signed certificate is installed on the VBR server. Please contact technical support in order to obtain a fix.
