Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section describes how to register CryptoHub as a Key Management System (KMS) server in the Veeam Backup & Replication console. After completing this procedure, you can select CryptoHub for encryption when configuring backup jobs or storage repositories.

Before you begin

Verify the following before starting this procedure:
  • You have administrator access to the Veeam Backup & Replication console (desktop version).
  • You have the endpoint zip file we created for the Veeam Backup & Replication service on the CryptoHub.
  • You have the “veeam-fx” PKCS#12 file we exported in the PKI and CA > Certificate Management menu on the CryptoHub.
  • OpenSSL is installed on the computer you are using in this section.
  • Network connectivity exists between the Veeam server and CryptoHub on port 5696.

Preparing certificates

Veeam requires certificates in specific formats. Use the procedures in this section to verify and convert certificates before import.

Extract the endpoint zip and “veeam-fx” PKCS#12 file

1
Move the endpoint zip and “veeam-fx” PKCS#12 file into an empty directory.
2
Open a new terminal and navigate into the directory where the endpoint zip and “veeam-fx” PKCS#12 file are stored.
3
Extract the endpoint zip file:In Windows PowerShell, use this command:
PowerShell
Expand-Archive .\veeam-fx-Veeam.zip .
In Linux bash, use this command:
Bash
unzip veeam-fx-Veeam.zip .
4
Extract the client private key from the “veeam-fx” PKCS#12 file using OpenSSL. Enter the PKCS#12 password when prompted.
OpenSSL
openssl pkcs12 -in veeam-fx.p12 -nocerts -noenc -out client-privatekey-pkcs8.pem
In the command above, be sure to specify the actual name of your “veeam-fx” PKCS#12 file. There is also a pki.p12 file that’s extracted from the endpoint zip in the previous command, which will remain unused.
5
Extract the client certificate from the “veeam-fx” PKCS#12 file using OpenSSL. Enter the PKCS#12 password when prompted.
OpenSSL
openssl pkcs12 -in veeam-fx.p12 -clcerts -nokeys -out veeam-client-cert.pem
6
Convert the PKCS#8 client private key to PKCS#1 format:
OpenSSL
openssl rsa -in client-privatekey-pkcs8.pem -traditional -out client-privatekey-pkcs1.pem
Store the converted private key file securely. The file contains an unencrypted private key and should be deleted from the Veeam server after import.
At this point, you should have the following files in the current working directory:
  • <number>-Prod-App-Alt.cer — KMIP server TLS certificate (number is random)
  • veeam-client-cert.pem — Veeam client TLS certificate
  • client-privatekey-pkcs1.pem — Veeam client private key in PKCS#1 format
These are the only files you will need to register CryptoHub as a KMS server in the Veeam Backup & Replication console application.

Adding the KMS server

Complete the following steps to register CryptoHub in Veeam Backup & Replication.
1
Open the Veeam Backup & Replication console.
2
From the main menu, select Credentials and Passwords > Key Management Servers.
3
In the Key Management Servers window, select Add.
4
In the Server field, enter the fully qualified domain name (FQDN) or IP address of CryptoHub.Example: cryptohub.example.com
5
In the Port field, verify that the port number is 5696. Change this value only if your CryptoHub KMIP service uses a non-standard port.
6
In the Server certificate field, select Browse.
7
Choose the Import certificate from a file method, and complete the following steps in the import wizard:a. Select the KMIP server TLS certificate file (<number>-Prod-App-Alt.cer) from your local system.b. It is not password-protected (PFX), so leave the Password field blank.c. Select Next, then select Finish.
8
In the Client certificate field, select Browse.
9
Choose the Import certificate from a PEM file method, and complete the following steps in the import wizard:a. Select the Veeam client TLS certificate file (veeam-client-cert.pem) from your local system.b. Select the Veeam client private key file (client-privatekey-pkcs1.pem) from your local system.c. Select Next, then select Finish.
10
In the Description field, enter a descriptive name for the KMS server.Example: CryptoHub Production - Data Center 1
11
Select OK to save the KMS server configuration.
CryptoHub appears in the Key Management Servers list. Veeam validates connectivity and certificate trust during the save operation. If validation fails, see Troubleshooting connection failures below.
If the KMS server was added successfully, you can now configure backup jobs or storage repositories to use CryptoHub for encryption. See Enabling KMS encryption for backup jobs and Enabling KMS encryption for storage repositories.

Troubleshooting connection failures

Use the following table to diagnose connection failures when adding or editing the KMS server.
SymptomProbable causeResolution
Connection timeoutNetwork connectivity issue or firewall blocking port 5696Verify that the Veeam server can reach CryptoHub on port 5696. Test with Test-NetConnection -ComputerName cryptohub.example.com -Port 5696 (PowerShell).
Certificate trust errorCryptoHub server certificate is not trustedAdd the issuing CA certificate (Futurex Test Root SSL CA.cer from the endpoint zip file) to the Trusted Root Certification Authorities store on the Veeam server.
Certificate name mismatchServer certificate Subject does not match the FQDN entered in the Server fieldVerify that the Server field value exactly matches the Subject (CN) in the CryptoHub server certificate.
CRL check failedVeeam cannot access the CRL distribution point in the server certificateVerify that the Veeam server can reach the CRL URL specified in the certificate. Check firewall rules and proxy settings.
Invalid private key formatPrivate key is PKCS#8 instead of PKCS#1Convert the private key using the OpenSSL command in the Preparing certificates section above.