Third-party service certificate

This page explains how to add and manage third-party certificates used by the Backup and DR Service.

Backup and DR Service can connect to the external endpoint of a third-party service only if the endpoint has a valid certificate issued by a public Certificate Authority (CA) associated to it. If the endpoint doesn't have a certificate, you need to add one to it.

A certificate is validated either through certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP). If the CRL or OCSP endpoints are not reachable, the certificate is treated as valid and an event is generated. You can track these events on the Monitor > Events page.

Before you begin

Allow egress connection from the backup/recovery appliance to the OCSP or CRL endpoints of the certificate using Cloud NAT. By default, Cloud NAT has access to all the primary and secondary IP ranges of all subnets in the region of a Virtual Private Cloud (VPC) network. To limit Cloud NAT access to only the subnet where the appliance is deployed, see Specify subnet ranges for NAT.

IAM roles and permissions

The following permissions are required for third-party certificate operations:

  • backupdr.managementServers.manageSystem and backupdr.managementServers.viewSystem for adding or deleting certificates
  • backupdr.managementServers.viewSystem for viewing certificates

Add a certificate

You can add a private CA issued or self-signed certificate to a third-party service endpoint using the Manage > Certificates page. For example, if a vCenter is using a private CA or self-signed certificate, you need to add the certificate to the management console.

Use the following instructions to add a third-party certificate:

  1. Click Manage > Certificates.
  2. Click Add Certificate.

  3. You can add the certificate in either ways:

    • Copy the certificate and paste it in the Certificate box.
    • Click Choose File and upload the certificate.

  4. Click Upload.

Delete a certificate

Use the following instructions to delete a certificate:

  1. Click Manage > Certificates.
  2. Right-click the certificate that you want to remove and select Delete.
  3. Click Delete in the confirmation dialog.

What's next