Automation is a big part of my career – which is why I love products that dish out RESTful API endpoints. Veeam does this via their Enterprise Manager product. The problem though, which I assume this is somewhat common, is that when I first installed Enterprise Manager I did so utilizing a self signed certificate. Now normally this isn’t a big deal, but when attempting to integrate the API with other applications that are running SSL sometimes it can be a pain to either import the self signed certificate into the application or to somehow code around having to accept the certificate in the first place. A much easier option, simply get yourself a valid trusted certificate – now I’m not saying go out and buy one – in fact, if you have the Microsoft Windows Certificate Authority services running within your domain you can simply use that – why not it’s free right? Anyways, this is the route I went and it’s not as straight forward as the cert imports I’m used to so I thought I would share the process…
The first thing we need to do is generate a certificate request on our Veeam server – to do so, fire up the IIS Manager and click on Server Certificates – once the installed certificates appear click on ‘Create Certificate Request’ as shown below…
From here it’s just a matter of filling out the Distinguished Name properties as shown below – and then going through the motions of the wizard (note: I always select at least 2048 for bit length).
Once done we should be left by saving a file somewhere on the filesystem – this is our certificate request that we will need in order to generate the certificate. Now if you are using a full out trusted authority such as Entrust you can go ahead and send this off to them to obtain your certificate. That said we are using our Windows Certificate Authority. So go ahead and copy that file over to your certificate authority server. Now, the easiest way I’ve seen these certificates get generated on the windows CA is to simply run the following command – obviously replacing with your options you filled out in the previous step and using any certificate templates you have setup within your environment.
certreq -attrib “CertificateTemplate:WebServerV2\nSAN:DNS=veeam.mwpreston.local”
When prompted, select your newly created CSR and at the end of it all it should output a certificate for us! Go ahead and copy this back to your VBR server! I know – a lot of copying and back and forth :). Head back into the IIS Manager and into the Server Certificates area – this time selecting ‘Complete Certificate Request’, point to your newly created cert, give it a friendly name and import into the ‘Personal’ certificate store (as shown below).
Once we have imported our certificate it should show up within our list inside of IIS. One thing you will want to make note of here is the Certificate Hash (shown below). We will need this in order to complete the binding of the certificate to the proper port – so take note of it somewhere.
Now here is where things get a little tricky – well, to the point of the “unknown” for me anyways. What we have to do is actually remove the current self-signed certificate which is bound to the 9398 (the https port for the Veeam REST API.). But before removing we should take a look at the old certificate as there is some information we need to gather for a later step. To do this, drop to a command prompt and run the following
netsh http show sslcert ipport=0.0.0.0:9398
After running be sure to make note of the Application Id (outlined below). We will need this string when we go to reassign the port to our new cert.
Our next step would be to remove the certificate associated with port 9398 using the following command…
netsh http delete sslcert ipport=0.0.0.0:9398
And finally we need to simply add our new certificate and assign it to the port. To do this we will need the Application Id we noted above – and also certificate hash of our newly installed cert which we also noted above. Once you have those two values you can go ahead and run the following command, again, replacing the certhash and appid with your environments configurations….
netsh http add sslcert ipport=0.0.0.0:9398 certhash=EB6845E3F1381554FA6CC982882E2BF27795FC7D appid={73ec9393-95b6-4498-a845-9a0cb95306be}
And with that we are done! You should no be able to connect successfully to your Veeam REST API over https without having the nags of certificate warnings. For more information you can check out the Veeam Help Center – they have a bit of a description of each command plus some links over to Technet with more details – Thanks for reading!
5
Useful to make sure your CA is a new one that isn’t still using SHA1 before doing this, otherwise you’ll be back as square one as more devices and agents get picky about blocking SHA1 as most browsers do now days.