Skip to main content
Per Veeam’s official documentation, the KMS server certificate must meet the following requirements:
  • The Subject extension must be equal to the fully qualified domain name (FQDN) or IP of the KMS server.
  • The server certificate must have valid CRL distribution points specified in the CRL Distribution Points extension.
  • If the Veeam Backup & Replication server does not trust the Certificate Authority (CA) of the server certificate, it should be added to the Trusted Root Certification Authority store.
This section explains how to configure the KMIP server certificate on the CryptoHub, as required for this integration.

Generate a Certificate Signing Request (CSR) for the KMIP server connection pair

1
Log in to CryptoHub with your administrator identities.
2
Go to Classic Tools > Administration > Configuration Tasks.
3
In the Configuration Tasks view, double-click Network Options.
4
Go to the TLS/SSL Settings tab.
5
In the Connection drop-down menu, select KMIP.
6
Uncheck Use System/Host API SSL Parameters.
7
Uncheck Use Futurex certificates.
8
In the User Certificates section, select [ Edit ] next to PKI Keys.
9
In the Application Public Keys window, select [ Generate ].
10
When prompted that SSL will not be functional until new certificates are imported, select [ Yes ].
11
In the PKI Parameters window, select RSA as the Key Type, and 2048 as the Key Size. Then, select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
12
Select [ Request ].
13
In the Subject DN tab, select Classic as the preset, and enter the FQDN or IP address of the CryptoHub as the Common Name.
14
In the V3 Extensions tab, select the TLS Server Certificate profile. Then, select [ Add ]. You must add the necessary extensions to the certificate, including the CRL Distribution Points extension.
15
Select the CRL Distribution Points extension and select [ OK ].
16
Select [ Add ]. Enter the URL for the CRL distribution point. Use the format http://HOSTNAME-OR-IP_ADDRESS/cryptohub.crl, where HOSTNAME-OR-IP_ADDRESS is the hostname or IP address of the server hosting the CRL. Then, select [ OK ].
Be sure to include the protocol (http://) in the URL, because the CRL Distribution Points extension requires it.
17
Select [ Add ] again to add another extension.
18
This time, select Subject Alternative Name and select [ OK ].
19
Select [ Add ].
20
Depending on if the CryptoHub is accessed by hostname or IP address, change the Type to DNS Name or IP Address, and enter the corresponding value. Then, select [ OK ].
21
Confirm the changes by selecting [ OK ].
22
In the PKCS #10 Info tab, select [ Browse ], which allows you to set a name for the certificate signing request (CSR) file. Then, select [ OK ].
23
Specify a name for the CSR file or leave the default name and select [ OK ].
24
Select [ OK ] to submit the certificate signing request. You should see a confirmation message that the CSR was successfully written. Select [ OK ] to close the confirmation message. Your browser then downloads the file, and you choose where to save it locally.
25
Select [ OK ] in the Application Public Keys window to return to the TLS/SSL Settings tab.
26
Select [ OK ] to save the changes to the KMIP connection pair.

Use the Client App TLS CA to sign the KMIP server certificate

1
Go to PKI and CA > Certificate Management.
2
Select the plus (+) icon to expand the “Client App TLS CA” X.509 Certificate Container.
A randomly-generated 10-digit number is appended to the end of the “Client App TLS CA” name.
3
Right-click the CryptoHub [10_digit_number] self-signed CA certificate, and select Add Certificate > From Request.
4
In the file browser, select the CSR file you generated for the KMIP server connection pair, and select [ Open ].
5
The certificate details are displayed. Select [ OK ] to submit the request to the CA.

Export the signed KMIP server certificate and CryptoHub App TLS CA certificate

1
Go to PKI and CA > Certificate Management.
2
Select the plus (+) icons to expand the “Client App TLS CA” X.509 Certificate Container.
3
Right-click the signed KMIP server certificate, and select Export > Certificate(s).
4
Change the encoding to PEM and select [ Browse ].
5
Specify a name for the file or leave the default name and select [ OK ].
6
Select [ OK ]. You should see a confirmation message that the CSR was successfully written. Select [ OK ] to close the confirmation message. Your browser then downloads the file, and you choose where to save it locally.
7
Repeat the export process for the CryptoHub App TLS CA certificate, which is the CA that issued the KMIP client and server certificates. This CA certificate must be imported to the Trusted Root Certification Authority store on the Veeam Backup & Replication server.

Configure the KMIP server connection pair to use the signed certificate

1
Go to Classic Tools > Administration > Configuration Tasks.
2
In the Configuration Tasks view, double-click Network Options.
3
Go to the TLS/SSL Settings tab.
4
Select the KMIP in the Connection drop-down menu.
5
In the User Certificates section, select [ Edit ] next to Certificates.
6
Right-click the KMIP SSL CA X.509 certificate container and select [ Import ].
7
Select [ Add ] at the bottom of the window.
8
In the local file browser, select the CryptoHub App TLS CA certificate and select [ Open ].
9
Select [ Add ] at the bottom of the window.
10
In the local file browser, select the signed KMIP server certificate and select [ Open ].
The certificates are listed in the Verified section.
11
Select [ OK ].
12
Select [ OK ].
You now see “Signed loaded” next to Certificates.
13
Select [ OK ] to save the changes.
After completing these steps, the KMIP server connection pair is configured to use the signed certificate for TLS communication with Veeam Backup & Replication. Be sure to also import the CryptoHub App TLS CA certificate to the Trusted Root Certification Authority store on the Veeam server to establish trust.