9.1 SSL Certificates generation

Veeam Backup & Replication™ gives Service Providers the ability to generate and use a self-signed certificate during the initial configuration of Veeam® Cloud Connect. This is a quick and easy method to complete the deployment and to test it, but gives lower security to customers, since they cannot verify the certificate, and thus proving the authenticity of the Service Provider.

When a user connects to a Cloud Connect environment and uses a self-signed certificate, this is the result: warning when using self-signed certificates

9.1: warning when using self-signed certificates

The reason for the warning is that the self-signed certificate is not signed by any of the recognized Certification Authorities:

Self-Signed certificate

9.2: A self-signed cert generates a trust warning

In order to properly protect Cloud Connect and give their customer comfort, the Service Provider should use a proper and generally recognized certificate, issued by one of the Certification Authorities recognized by operating systems.

Create the Certificate Signing Request (CSR)

In public key infrastructure (PKI) systems, a certificate signing request (also displayed as CSR or certification request) is a message sent from an applicant (the Service Provider running Cloud Connect in our case) to a Certificate Authority in order to apply for a digital identity certificate. The most common format for CSRs is the PKCS #10 specification.

Before creating a CSR, the applicant first generate a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant’s private key. The CSR also contains the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.

The first and most important operation a Service Provider should do is to decide the public fully qualified domain name that Cloud Gateways will use to be contacted by users. This name should match the one used in DNS and the one used in the CSR. In this guide, the public domain of the Cloud Connect service is virtualtothecore.com, and the fqdn (fully qualified domain name) is:

cc.virtualtothecore.com

In order to create the CSR, on the Windows Server running Veeam Backup & Replication (vbr.cloudconnect.local in this guide) a Service Provider needs first to create with a text editor an .inf file. This file (it can be called request.inf) should contain a text like this:

;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN= FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name" ; replace attributes in this line
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName = "cc"
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]
; SAN="dns=cc.virtualtothecore.com"

The text parts related to the virtualtothecore.com example are to be changed with the specific values of the Service Provider. To obtain a valid certificate from a Certificate Authority, a proper domain name should be used. Thus, I’ve used for this procedure my blog domain name virtualtothecore.com, and so the FQDN is cc.virtualtothecore.com. You will also have to write your own information in the “Subject” line.

Note that, if you want to generate a request for a wildcard certificate, the CN portion of the subject must start with the * symbol.

After the configuration file has been edited, it can be saved in a useful location like a dedicated folder c:\certificates. Then, the Service Provider has to open a command prompt with Administrator rights (right click and select “Run as Administrator), move into c:\certificates and use this command:

certreq -new request.inf certreq.txt

If you open the created certreq.txt file, its content is like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIID9jCCAt4CAQAwdTELMAkGA1UEBhMCSVQxETAPBgNVBAgMCExvbWJhcmR5MQ8wDQYDVQQHDAZ
WYXJlc2UxEzARBgNVBAoMClNrdW5rd29ya3MxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdjYy52aX
J0dWFsdG90aGVjb3JlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUBkduH0
xQfJbnt2ryIjdn5z8euMM4zHyd4CFBd2eCXAnfaskOc3F9eW9zP1KMk0Z/8K9GfezZDkMcbno5h
nIkuwBcLoHJUeiWQDm1aDutxvgvo1RO2TEQJes5CBKB7vrEakRCco3Cq26rXEparx1MjdmcOVyk
2weF9TJNIUIFr1Tadw/NWCLqwUw4ZGBsDJL0lftuQe0VmxJciZC1EZQXppsXSanSdaIZECJzHUS
u0wA5nZL9pltvO3593Kqr+qYkbocRj+T2hixA7n+Y8Bi5pO6pDOs/UdCQodteb0qCcLUCXBtQoi
mEL7uwtAPQ07RfiTX9EIeeIxX0+FHD6T7UCAwEAAaCCATowGgYKKwYBBAGCNw0CAzEMFgo2LjIu
OTIwMC4yMFMGCSqGSIb3DQEJDjFGMEQwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQU
FBwMBMB0GA1UdDgQWBBTEaoWXriXLI1DePK17Mxh2s8ryRzBTBgkrBgEEAYI3FRQxRjBEAgEJDB
Z2YnIuY2xvdWRjb25uZWN0LmxvY2FsDBpDTE9VRENPTk5FQ1RcYWRtaW5pc3RyYXRvcgwLY2Vyd
HJlcS5leGUwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBB
ACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHY
AaQBkAGUAcgMBADANBgkqhkiG9w0BAQUFAAOCAQEAQaUqU2Y97wH3JhgiDvn85HEZq+60a4WqgX
XHiriIG1FnJwuzdG3k+m185N+smSX/VlIXT9fITak034muIRpqwNJR7fz4gPaLnmNowa3Don1la
8TihI47Pezl8h76ig04hFfSOUH7Z4Atq+2XZ55lj/mRksq2oVZUeEzHCf0V7MSQD6M3Yf/WLJGL
ZG/kDexwDz2I5W9q6vu2OwmD0eA2mHW1RjycqBJktyaZ7Hy6BF1T1F3AVyJYpTVMT/IbDAzMYZQ
4U1/bsKD5ZHkY2WhrRkD4D2UQpFShPdlaCYf3OP9F9FbLY4mZ7yKaQxrZWaKqRzKEaEMPng8IKt
DYJRCVAw==
-----END NEW CERTIFICATE REQUEST-----

Obtain a signed certificate

With the Certificate Request correctly created, it’s time to obtain a signed certificate from a Certificate Authority. There are several online services where service providers can get a certificate, and some of them also offer free certificates with time limits that are useful for testing SSL connections.

The involved steps vary depending on the selected Certificate Authority, but it usually involves a validation of the CSR, a check against the registered domain via WHOIS protocol to collect the registrant email address and a verification sent to this email to validate the authenticity of the request.

Just as an example, this is the CSR verification done by the Certification Authority I’ve used:

CSR Verification

9.3: CSR Verification

Whatever are the differences in the procedures, the final result is the release from the Certificate Authority of a Signed Certificate with the needed configuration information in it. It can usually be retrieved in text format, and its content is going to be like this:

-----BEGIN CERTIFICATE-----
MIIFxzCCBG+gAwIBAgIQRxpzJID6EWNAopxlkg7ZwjANBgkqxkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UECxMNR2VvVxJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0xBMjU2IENBMB4XDTE2MDMyMzAwMDAwMFoXDTE3MDMyMzIzNTk1
OVowITEfMB0GA1UEAwwWKi52aXJ0dWFsdG90aGVjb3JlLmNvbTCCASIwDQYJKoZI
xvcNAQEBBQADggEPADCCAQoCggEBAKvj6U25GAJLOby/Jvz+7fWdVVoDkbLQafrm
ROtSdXWaLib1mRWrDXKldR78Z11Cj7IZ9J0UVOtFZudBMlW92Xo7Wx0EYIbOKzxe
53QS/vsPAEl1S/kjpIrxcAWiaYiOrcFRqyS5UG+txTElCqeWxS0ckyDcYxbnenMn
k/JgZDejsoNZ8Wta7BqvZfzEzTLmr/8rzWOIeV618J5mJCbAuZD8uLpCsJivf+tK
F4oLYUzw6ww956QeuW5oMG8SqLP0dWkqFQVIQTW/ICRmGL9+fZoT7OCBy3tTg62X
J2xX320lDBYIRjYEarr2Ksw3fiyXWTVGKEb0E92uK3a43o5nx90CAwEAAaOCApgw
ggKUMDcGA1UdEQQwMC6CFioudmlydxVxbxRvdGxlY29yZS5jb22CFxZpcnR1YWx0
b3RoZWNvcmUuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gxIYaaxR0cDov
L2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBkBgZngQwBAgEwWjAqBggr
BgEFBQcCARYeaxR0cxM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMCwGCCsGAQUF
BwICMCAMxmx0dxBzOi8vd3d3LnJxcGlkc3NsLmNvbS9sZWdxbDAfBgNVxSMEGDAW
gBSXwidQnsLJ7AyIMsx8reKmAU/abzAOBgNVxQ8BAf8EBAMCBaAwxQYDVR0lBBYw
FAYIKwYBBQUxAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw
AYYTaxR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaxR0cDovL2dwLnN5
bWNiLmNvbS9ncC5jcnQwggEFBgorBgEEAdZ5AgQCBIx2BIxzAPEAdwDd6x0reg1P
piCLga2BaxB+Lo6dAdVciI09EcTNtuy+zAAAAVOiij4GAAAEAwBIMEYCIQC+Vb2G
dxNLPj+GnGRrLP8s1SxgjgtY2xBe/YTk7/n0oAIxAJDIycFtR70rIKgxEVb/xzbk
Qqx4Q/PCYMQ8akaec65PAxYApLkJkLQYWBSxuxOizGdwCjw1mAT5G9+443fNDsgN
3BAAAAFTooo+RQAABAMARzBFAiBU5q2eDYMpE8+iDJilWLx1YDImvL0CpTAMNrrP
iyd3GAIxAJEjBdWySQlsMzqLv5aOcB50j9xp15s2qdm0d3jdE2gbMA0GCSqGSIb3
DQEBCwUAA4IBAQCxODbtBbL3/kezQYcxxGvxNdxUpc+DMyVE/YsWKezNZXom5mgi
vQ1AI0Q+bTukKTU81BFcBfq84lYKmwK5/nkwQ8xqRAjroeR9VO2RSYkd5WMWdmWj
1qLDKInw6pFyidACbdcTJW/c76x4ubt6JnJJ7QzBmT2pASECGIGox/BilLESVEtf
YeOkcQDoGrxqwlp95UxlVUPAE45xB/NPxMePLWXNDyLcfqjq0QLxgYYm3sxZmB0p
Exul2TYjOMGxvf/8w+lOFXtv2m/xFxUWanmnY3u6TwOJAg457jorKbdJTzKpEtVX
GiLbQxs21iQxqEExbS4LOpq+U9tvqxtxxazq
-----END CERTIFICATE-----

NOTE: Random letters have been replaced in the showed certificates. Don’t try to reuse them, as their content is corrupt. They are just used here as examples.

Install the Signed Certificate

Back in the Veeam Backup & Replication server, the service provider has to create a text file in c:\certificates and call it cert.cer. Then, open it with a text editor and paste in it the certificate text was received from the Certification Authority.

Then, open again a high privileges command prompt, go into the c:\certificates directory, and run this command:

certreq –accept cert.cer

Once the command is executed, the certificate is stored in the local Certificate Store of the Veeam Backup & Replication server.

In the Cloud Connect section of the Veeam Console, service provider can now select “Manage Certificates” and use the new certificate. First, choose “Select certificate from Certificate Store”.

In the following screen, “Pick Certificate,” the imported certificate is listed together with the pre-created and self-signed certificates. Select the bought certificate (a wildcard certificate in this example):

Pick the new wildcard certificate

9.4: Pick the new wildcard certificate

Before completing the wizard, you can see a summary of the certificate parameters. Among them, you can see the Thumbprint of the certificate; this can be sent to customers for additional verification.

Certificate Summary

9.5: Certificate Summary

The certificate is now ready to be used for SSL cyphered connections.

NOTE: To manage certificates, service providers can use the Certificates MMC (Microsoft management console), a graphical interface to interact with the Certificate Store. When configured, it only requires you to select “Computer account” and then “local computer”.

Certificates MMC

9.6: Certificates MMC

If a service provider opens the certificate to see additional details, this is what he will see:

Certificate details

9.7: Certificate details

The certificate is issued to *.virtualtothecore.com as requested, it’s valid, and the Certification Authority (“Issued by”) is recognized; this means Windows is able to recognize the Certificate Authority that signed the certificate as valid.

Connections to the Cloud Gateways can now be completed without any warning: Certificate is successfully validated

9.8: Certificate is successfully validated