> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Adding the KMS server in Veeam

> Procedural guide for registering CryptoHub as a KMS server in the Veeam Backup & Replication console, including certificate preparation and troubleshooting.

This section describes how to register CryptoHub as a Key Management System (KMS) server in the Veeam Backup & Replication console. After completing this procedure, you can select CryptoHub for encryption when configuring backup jobs or storage repositories.

## Before you begin

Verify the following before starting this procedure:

* You have administrator access to the Veeam Backup & Replication console (desktop version).
* You have the endpoint zip file you created for the **Veeam Backup & Replication** service on the CryptoHub.
* OpenSSL is installed on the computer you are using in this section.
* Network connectivity exists between the Veeam server and CryptoHub on port 5696.

## Preparing certificates

Veeam requires certificates in specific formats. Use the procedures in this section to verify and convert certificates before import.

### Extract the endpoint zip

<Steps>
  <Step>
    Move the endpoint zip file into an empty directory.
  </Step>

  <Step>
    Open a new terminal and navigate into the directory where the endpoint zip file is stored.
  </Step>

  <Step>
    Extract the endpoint zip file:

    In Windows PowerShell, use this command:

    ```powershell expandable lines wrap title="PowerShell" theme={null}
    Expand-Archive .\veeam-fx-Veeam.zip .
    ```

    In Linux bash, use this command:

    ```bash expandable lines wrap title="Bash" theme={null}
    unzip demo-Veeam.zip .
    ```
  </Step>

  <Step>
    Extract the client private key from the `pki.p12` file using OpenSSL. Enter the PKCS#12 password when prompted.

    <Info>
      The `pki-password.txt` file contains the password for the `pki.p12` file. Use this password when prompted by OpenSSL.
    </Info>

    ```bash expandable lines wrap title="OpenSSL" theme={null}
    openssl pkcs12 -in pki.p12 -nocerts -noenc -out client-privatekey-pkcs8.pem
    ```
  </Step>

  <Step>
    Extract the client certificate from the `pki.p12` file using OpenSSL. Enter the PKCS#12 password when prompted.

    ```bash expandable lines wrap title="OpenSSL" theme={null}
    openssl pkcs12 -in pki.p12 -clcerts -nokeys -out veeam-client-cert.pem
    ```
  </Step>

  <Step>
    Convert the PKCS#8 client private key to PKCS#1 format:

    ```bash expandable lines wrap title="OpenSSL" theme={null}
    openssl rsa -in client-privatekey-pkcs8.pem -traditional -out client-privatekey-pkcs1.pem
    ```

    <Warning>
      Store the converted private key file securely. The file contains an unencrypted private key and should be deleted from the Veeam server after import.
    </Warning>
  </Step>
</Steps>

At this point, you should have the following files in the current working directory:

* `<number>-Prod-App-Alt.cer` — KMIP server TLS certificate (number is random)
* `veeam-client-cert.pem` — Veeam client TLS certificate
* `client-privatekey-pkcs1.pem` — Veeam client private key in PKCS#1 format

These are the only files you will need to register CryptoHub as a KMS server in the Veeam Backup & Replication console application.

## Adding the KMS server

Complete the following steps to register CryptoHub in Veeam Backup & Replication.

<Steps>
  <Step>
    Open the Veeam Backup & Replication console.
  </Step>

  <Step>
    From the main menu, select **Credentials and Passwords** > **Key Management Servers**.
  </Step>

  <Step>
    In the Key Management Servers window, select **Add**.
  </Step>

  <Step>
    In the **Server** field, enter the fully qualified domain name (FQDN) or IP address of CryptoHub.

    Example: `cryptohub.example.com`
  </Step>

  <Step>
    In the **Port** field, verify that the port number is **5696**. Change this value only if your CryptoHub KMIP service uses a non-standard port.
  </Step>

  <Step>
    In the **Server certificate** field, select **Browse**.
  </Step>

  <Step>
    Choose the **Import certificate from a file** method, and complete the following steps in the import wizard:

    a. Select the KMIP server TLS certificate file (`<number>-Prod-App-Alt.cer`) from your local system.

    b. It is not password-protected (PFX), so leave the **Password** field blank.

    c. Select **Next**, then select **Finish**.
  </Step>

  <Step>
    In the **Client certificate** field, select **Browse**.
  </Step>

  <Step>
    Choose the **Import certificate from a PEM file** method, and complete the following steps in the import wizard:

    a. Select the Veeam client TLS certificate file (`veeam-client-cert.pem`) from your local system.

    b. Select the Veeam client private key file (`client-privatekey-pkcs1.pem`) from your local system.

    c. Select **Next**, then select **Finish**.
  </Step>

  <Step>
    In the **Description** field, enter a descriptive name for the KMS server.

    Example: `CryptoHub Production - Data Center 1`
  </Step>

  <Step>
    Select **OK** to save the KMS server configuration.
  </Step>
</Steps>

<Check>
  CryptoHub appears in the Key Management Servers list. Veeam validates connectivity and certificate trust during the save operation. If validation fails, see **Troubleshooting connection failures** below.
</Check>

If the KMS server was added successfully, you can now configure backup jobs or storage repositories to use CryptoHub for encryption. See **Enabling KMS encryption for backup jobs** and **Enabling KMS encryption for storage repositories**.

## Troubleshooting connection failures

Use the following table to diagnose connection failures when adding or editing the KMS server.

| Symptom                    | Probable cause                                                                 | Resolution                                                                                                                                                          |
| -------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Connection timeout         | Network connectivity issue or firewall blocking port 5696                      | Verify that the Veeam server can reach CryptoHub on port 5696. Test with `Test-NetConnection -ComputerName cryptohub.example.com -Port 5696` (PowerShell).          |
| Certificate trust error    | CryptoHub server certificate is not trusted                                    | Add the issuing CA certificate (`Futurex Test Root SSL CA.cer` from the endpoint zip file) to the Trusted Root Certification Authorities store on the Veeam server. |
| Certificate name mismatch  | Server certificate Subject does not match the FQDN entered in the Server field | Verify that the **Server** field value exactly matches the Subject (CN) in the CryptoHub server certificate.                                                        |
| CRL check failed           | Veeam cannot access the CRL distribution point in the server certificate       | Verify that the Veeam server can reach the CRL URL specified in the certificate. Check firewall rules and proxy settings.                                           |
| Invalid private key format | Private key is PKCS#8 instead of PKCS#1                                        | Convert the private key using the OpenSSL command in the **Preparing certificates** section above.                                                                  |