When you reinstall vCenter Server, it generates new SSL certificates. Veeam Backup & Replication maintains its own certificate store and continues to use the old certificate thumbprint for authentication, resulting in the "remote certificate is invalid" error during backup jobs.
Here's how to properly update the certificate in Veeam:
# PowerShell snippet to check current certificate thumbprint
Get-VBRServer -Name "your_vcenter_server" | Select-Object Name, Info
- Open Veeam Backup & Replication console
- Navigate to Backup Infrastructure > Managed Servers
- Right-click your vCenter Server > Properties
- Click "Certificate" tab > "Import Certificate"
- Select "Obtain automatically" and click OK
For automated environments, use PowerShell:
# Remove old vCenter server reference
$server = Get-VBRServer -Name "vcenter.example.com"
Remove-VBRServer -Server $server -Confirm:$false
# Add vCenter again with new certificate
Add-VBRvCenter -Name "vcenter.example.com" -User "administrator@vsphere.local" -Password "your_password"
- Verify time synchronization between Veeam server and vCenter
- Check DNS resolution for vCenter FQDN
- Ensure Veeam services have proper network access
- Restart Veeam services after certificate update
Create a monitoring script to detect certificate changes:
# PowerShell check for expiring certificates
$veeamServer = Get-VBRServer -Name "vcenter.example.com"
$cert = $veeamServer.GetCertificate()
if ($cert.NotAfter -lt (Get-Date).AddDays(30)) {
Write-Warning "Certificate will expire soon: $($cert.NotAfter)"
}
When you reinstall vCenter Server Appliance (VCSA), it generates new SSL certificates by default. This breaks existing connections from Veeam Backup & Replication, which cached the previous certificate thumbprint. The specific error occurs because:
Error: The remote certificate is invalid according to the validation procedure
Component: VMware Backup Service
Failed to establish SSL connectionThere are three ways to handle this:
- Automatically trust new certificates (quick fix, less secure)
- Manually import the new certificate (recommended)
- Implement proper PKI with certificate authority
For temporary solutions or test environments, add this registry key:
Path: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication
Name: DisableCertificateValidation
Type: DWORD
Value: 1Then restart Veeam services:
net stop VeeamBackupSvc
net stop VeeamBrokerSvc
net start VeeamBackupSvc
net start VeeamBrokerSvcStep 1: Export vCenter Certificate
From vSphere Client:
- Navigate to Administration > Certificates > Certificate Management
- Select "Machine SSL Certificate"
- Click "Export" to save as .crt file
Step 2: Import into Veeam
Using PowerShell (run as Administrator):
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import("C:\path\to\vcenter.crt")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
"Root", "LocalMachine")
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()Check certificate installation with:
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*vcenter*" } | Format-ListThen restart the Veeam VMware Backup Service:
Restart-Service VeeamBackupSvcFor large environments, use this script to distribute certificates:
$servers = "veeam01","veeam02","veeam03"
$certPath = "\\share\certs\vcenter_new.crt"
foreach ($server in $servers) {
Invoke-Command -ComputerName $server -ScriptBlock {
param($path)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($path)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
"Root", "LocalMachine")
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
} -ArgumentList $certPath
Restart-Service -ComputerName $server -Name VeeamBackupSvc -Force
}- Maintain certificate expiration calendar
- Use certificate templates with longer validity periods
- Consider implementing VMware Certificate Manager (VCM)
- Document all certificate thumbprints in configuration management database