9.1 SSL Certificates generation
Veeam Backup & Replication™ gives Service Providers the ability to generate and use a self-signed certificate during the initial configuration of Veeam® Cloud Connect. This is a quick and easy method to complete the deployment and to test it, but gives lower security to customers, since they cannot verify the certificate, and thus proving the authenticity of the Service Provider.
When a user connects to a Cloud Connect environment and uses a self-signed certificate, this is the result:
9.1: warning when using self-signed certificates
The reason for the warning is that the self-signed certificate is not signed by any of the recognized Certification Authorities:
9.2: A self-signed cert generates a trust warning
In order to properly protect Cloud Connect and give their customer comfort, the Service Provider should use a proper and generally recognized certificate, issued by one of the Certification Authorities recognized by operating systems.
Create the Certificate Signing Request (CSR)
In public key infrastructure (PKI) systems, a certificate signing request (also displayed as CSR or certification request) is a message sent from an applicant (the Service Provider running Cloud Connect in our case) to a Certificate Authority in order to apply for a digital identity certificate. The most common format for CSRs is the PKCS #10 specification.
Before creating a CSR, the applicant first generate a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant's private key. The CSR also contains the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.
The first and most important operation a Service Provider should do is to decide the public fully qualified domain name that Cloud Gateways will use to be contacted by users. This name should match the one used in DNS and the one used in the CSR. In this guide, the public domain of the Cloud Connect service is virtualtothecore.com, and the fqdn (fully qualified domain name) is:
In order to create the CSR, on the Windows Server running Veeam Backup & Replication (vbr.cloudconnect.local in this guide) a Service Provider needs first to create with a text editor an .inf file. This file (it can be called request.inf) should contain a text like this:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN= FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name" ; replace attributes in this line KeySpec = 1 KeyLength = 2048 Exportable = TRUE FriendlyName = "cc" MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=184.108.40.206.220.127.116.11.1 ; this is for Server Authentication [RequestAttributes] ; SAN="dns=cc.virtualtothecore.com"
The text parts related to the virtualtothecore.com example are to be changed with the specific values of the Service Provider. To obtain a valid certificate from a Certificate Authority, a proper domain name should be used. Thus, I’ve used for this procedure my blog domain name virtualtothecore.com, and so the FQDN is cc.virtualtothecore.com. You will also have to write your own information in the "Subject" line.
Note that, if you want to generate a request for a wildcard certificate, the CN portion of the subject must start with the * symbol.
After the configuration file has been edited, it can be saved in a useful location like a dedicated folder c:\certificates. Then, the Service Provider has to open a command prompt with Administrator rights (right click and select “Run as Administrator), move into c:\certificates and use this command:
certreq -new request.inf certreq.txt
If you open the created certreq.txt file, its content is like this:
-----BEGIN NEW CERTIFICATE REQUEST----- MIID9jCCAt4CAQAwdTELMAkGA1UEBhMCSVQxETAPBgNVBAgMCExvbWJhcmR5MQ8wDQYDVQQHDAZ WYXJlc2UxEzARBgNVBAoMClNrdW5rd29ya3MxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdjYy52aX J0dWFsdG90aGVjb3JlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUBkduH0 xQfJbnt2ryIjdn5z8euMM4zHyd4CFBd2eCXAnfaskOc3F9eW9zP1KMk0Z/8K9GfezZDkMcbno5h nIkuwBcLoHJUeiWQDm1aDutxvgvo1RO2TEQJes5CBKB7vrEakRCco3Cq26rXEparx1MjdmcOVyk 2weF9TJNIUIFr1Tadw/NWCLqwUw4ZGBsDJL0lftuQe0VmxJciZC1EZQXppsXSanSdaIZECJzHUS u0wA5nZL9pltvO3593Kqr+qYkbocRj+T2hixA7n+Y8Bi5pO6pDOs/UdCQodteb0qCcLUCXBtQoi mEL7uwtAPQ07RfiTX9EIeeIxX0+FHD6T7UCAwEAAaCCATowGgYKKwYBBAGCNw0CAzEMFgo2LjIu OTIwMC4yMFMGCSqGSIb3DQEJDjFGMEQwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQU FBwMBMB0GA1UdDgQWBBTEaoWXriXLI1DePK17Mxh2s8ryRzBTBgkrBgEEAYI3FRQxRjBEAgEJDB Z2YnIuY2xvdWRjb25uZWN0LmxvY2FsDBpDTE9VRENPTk5FQ1RcYWRtaW5pc3RyYXRvcgwLY2Vyd HJlcS5leGUwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBB ACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHY AaQBkAGUAcgMBADANBgkqhkiG9w0BAQUFAAOCAQEAQaUqU2Y97wH3JhgiDvn85HEZq+60a4WqgX XHiriIG1FnJwuzdG3k+m185N+smSX/VlIXT9fITak034muIRpqwNJR7fz4gPaLnmNowa3Don1la 8TihI47Pezl8h76ig04hFfSOUH7Z4Atq+2XZ55lj/mRksq2oVZUeEzHCf0V7MSQD6M3Yf/WLJGL ZG/kDexwDz2I5W9q6vu2OwmD0eA2mHW1RjycqBJktyaZ7Hy6BF1T1F3AVyJYpTVMT/IbDAzMYZQ 4U1/bsKD5ZHkY2WhrRkD4D2UQpFShPdlaCYf3OP9F9FbLY4mZ7yKaQxrZWaKqRzKEaEMPng8IKt DYJRCVAw== -----END NEW CERTIFICATE REQUEST-----
Obtain a signed certificate
With the Certificate Request correctly created, it's time to obtain a signed certificate from a Certificate Authority. There are several online services where service providers can get a certificate, and some of them also offer free certificates with time limits that are useful for testing SSL connections.
The involved steps vary depending on the selected Certificate Authority, but it usually involves a validation of the CSR, a check against the registered domain via WHOIS protocol to collect the registrant email address and a verification sent to this email to validate the authenticity of the request.
Just as an example, this is the CSR verification done by the Certification Authority I've used:
9.3: CSR Verification
Whatever are the differences in the procedures, the final result is the release from the Certificate Authority of a Signed Certificate with the needed configuration information in it. It can usually be retrieved in text format, and its content is going to be like this:
-----BEGIN CERTIFICATE----- MIIFxzCCBG+gAwIBAgIQRxpzJID6EWNAopxlkg7ZwjANBgkqxkiG9w0BAQsFADBC MQswCQYDVQQGEwJVUzEWMBQGA1UECxMNR2VvVxJ1c3QgSW5jLjEbMBkGA1UEAxMS UmFwaWRTU0wgU0xBMjU2IENBMB4XDTE2MDMyMzAwMDAwMFoXDTE3MDMyMzIzNTk1 OVowITEfMB0GA1UEAwwWKi52aXJ0dWFsdG90aGVjb3JlLmNvbTCCASIwDQYJKoZI xvcNAQEBBQADggEPADCCAQoCggEBAKvj6U25GAJLOby/Jvz+7fWdVVoDkbLQafrm ROtSdXWaLib1mRWrDXKldR78Z11Cj7IZ9J0UVOtFZudBMlW92Xo7Wx0EYIbOKzxe 53QS/vsPAEl1S/kjpIrxcAWiaYiOrcFRqyS5UG+txTElCqeWxS0ckyDcYxbnenMn k/JgZDejsoNZ8Wta7BqvZfzEzTLmr/8rzWOIeV618J5mJCbAuZD8uLpCsJivf+tK F4oLYUzw6ww956QeuW5oMG8SqLP0dWkqFQVIQTW/ICRmGL9+fZoT7OCBy3tTg62X J2xX320lDBYIRjYEarr2Ksw3fiyXWTVGKEb0E92uK3a43o5nx90CAwEAAaOCApgw ggKUMDcGA1UdEQQwMC6CFioudmlydxVxbxRvdGxlY29yZS5jb22CFxZpcnR1YWx0 b3RoZWNvcmUuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gxIYaaxR0cDov L2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBkBgZngQwBAgEwWjAqBggr BgEFBQcCARYeaxR0cxM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMCwGCCsGAQUF BwICMCAMxmx0dxBzOi8vd3d3LnJxcGlkc3NsLmNvbS9sZWdxbDAfBgNVxSMEGDAW gBSXwidQnsLJ7AyIMsx8reKmAU/abzAOBgNVxQ8BAf8EBAMCBaAwxQYDVR0lBBYw FAYIKwYBBQUxAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw AYYTaxR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaxR0cDovL2dwLnN5 bWNiLmNvbS9ncC5jcnQwggEFBgorBgEEAdZ5AgQCBIx2BIxzAPEAdwDd6x0reg1P piCLga2BaxB+Lo6dAdVciI09EcTNtuy+zAAAAVOiij4GAAAEAwBIMEYCIQC+Vb2G dxNLPj+GnGRrLP8s1SxgjgtY2xBe/YTk7/n0oAIxAJDIycFtR70rIKgxEVb/xzbk Qqx4Q/PCYMQ8akaec65PAxYApLkJkLQYWBSxuxOizGdwCjw1mAT5G9+443fNDsgN 3BAAAAFTooo+RQAABAMARzBFAiBU5q2eDYMpE8+iDJilWLx1YDImvL0CpTAMNrrP iyd3GAIxAJEjBdWySQlsMzqLv5aOcB50j9xp15s2qdm0d3jdE2gbMA0GCSqGSIb3 DQEBCwUAA4IBAQCxODbtBbL3/kezQYcxxGvxNdxUpc+DMyVE/YsWKezNZXom5mgi vQ1AI0Q+bTukKTU81BFcBfq84lYKmwK5/nkwQ8xqRAjroeR9VO2RSYkd5WMWdmWj 1qLDKInw6pFyidACbdcTJW/c76x4ubt6JnJJ7QzBmT2pASECGIGox/BilLESVEtf YeOkcQDoGrxqwlp95UxlVUPAE45xB/NPxMePLWXNDyLcfqjq0QLxgYYm3sxZmB0p Exul2TYjOMGxvf/8w+lOFXtv2m/xFxUWanmnY3u6TwOJAg457jorKbdJTzKpEtVX GiLbQxs21iQxqEExbS4LOpq+U9tvqxtxxazq -----END CERTIFICATE-----
NOTE: Random letters have been replaced in the showed certificates. Don't try to reuse them, as their content is corrupt. They are just used here as examples.
Install the Signed Certificate
Back in the Veeam Backup & Replication server, the service provider has to create a text file in c:\certificates and call it cert.cer. Then, open it with a text editor and paste in it the certificate text was received from the Certification Authority.
Then, open again a high privileges command prompt, go into the c:\certificates directory, and run this command:
certreq –accept cert.cer
Once the command is executed, the certificate is stored in the local Certificate Store of the Veeam Backup & Replication server.
In the Cloud Connect section of the Veeam Console, service provider can now select “Manage Certificates” and use the new certificate. First, choose “Select certificate from Certificate Store”.
In the following screen, “Pick Certificate,” the imported certificate is listed together with the pre-created and self-signed certificates. Select the bought certificate (a wildcard certificate in this example):
9.4: Pick the new wildcard certificate
Before completing the wizard, you can see a summary of the certificate parameters. Among them, you can see the Thumbprint of the certificate; this can be sent to customers for additional verification.
9.5: Certificate Summary
The certificate is now ready to be used for SSL cyphered connections.
NOTE: To manage certificates, service providers can use the Certificates MMC (Microsoft management console), a graphical interface to interact with the Certificate Store. When configured, it only requires you to select “Computer account” and then “local computer”.
9.6: Certificates MMC
If a service provider opens the certificate to see additional details, this is what he will see:
9.7: Certificate details
The certificate is issued to *.virtualtothecore.com as requested, it's valid, and the Certification Authority ("Issued by") is recognized; this means Windows is able to recognize the Certificate Authority that signed the certificate as valid.
Connections to the Cloud Gateways can now be completed without any warning:
9.8: Certificate is successfully validated