Configure RSA certificates - Futurex Documentation

This section explains how to configure RSA certificates for the TLS connection between Veeam and the KMIP server port on the CryptoHub, as required for this integration.

Configure the KMIP connection pair to use RSA certificates

Go to Classic Tools > Administration > Configuration Tasks.

In the Configuration Tasks view, double-click Network Options.

Go to the TLS/SSL Settings tab.

In the Connection drop-down menu, select KMIP.

Uncheck Use System/Host API SSL Parameters.

Change the Cert Type to RSA.

Select [ OK ].

Confirm the changes by selecting [ OK ].

Create a new client endpoint for the Veeam service

Go to Services > Deployed Services and select the Veeam Backup & Replication service you deployed.

Select Endpoints.

Select [ Add New ].

Enter “veeam-fx” as the Endpoint Identifier, then select [ Add Endpoint ].

Your browser prompts you to download and save a zip file.

Use the Client App TLS CA to issue an RSA client certificate for Veeam

Go to PKI and CA > Certificate Management.

Select the plus (+) icon to expand the “Client App TLS CA” X.509 Certificate Container.

A randomly-generated 10-digit number is appended to the end of the “Client App TLS CA” name.

Right-click the CryptoHub [10_digit_number] self-signed CA certificate, and select Add Certificate > New Certificate.

Select the Classic preset.

Under Subject DN, enter “veeam-fx” as the Common Name for the certificate.

Leave set the defaults under Basic Info.

Under V3 Extensions, select the TLS Client Certificate profile.

Select [ OK ].

Enable the option to allow export of certificates using passwords

Go to Classic Tools > Administration > Configuration Tasks.

In the Configuration Tasks view, double-click Options.

Select the “Allow export of certificates using passwords” checkbox.

Select [ Save ].

Confirm the changes by selecting [ OK ].

Export the veeam-fx TLS certificate as a PKCS#12 file

Go to PKI and CA > Certificate Management.

Select the plus (+) icon to expand the “Client App TLS CA” certificate container.

Select the plus (+) icon to expand the CryptoHub [10_digit_number] CA certificate tree.

Right-click the “veeam-fx” TLS client certificate we generated and select Export > PKCS#12.

Set a password for the PKCS#12 file.

Under Export Options, select “Export Selected Certificate”.

Select [ Next ].

Enter a filename for web transfer, then select [ OK ].

The browser should prompt you to download the PKCS#12 file.

⌘I

​Configure the KMIP connection pair to use RSA certificates

​Create a new client endpoint for the Veeam service

​Use the Client App TLS CA to issue an RSA client certificate for Veeam

​Enable the option to allow export of certificates using passwords

​Export the veeam-fx TLS certificate as a PKCS#12 file

Configure the KMIP connection pair to use RSA certificates

Create a new client endpoint for the Veeam service

Use the Client App TLS CA to issue an RSA client certificate for Veeam

Enable the option to allow export of certificates using passwords

Export the veeam-fx TLS certificate as a PKCS#12 file