Stay organized with collections
Save and categorize content based on your preferences.
This page explains how to add and manage third-party certificates used by the
Backup and DR Service.
Backup and DR Service can connect to the external endpoint of a third-party
service only if the endpoint has a valid certificate issued by a public
Public Certificate Authority (CA) associated to it. If the endpoint doesn't have a
certificate, you need to add one to it.
A certificate is validated either through certificate revocation lists (CRL)
or Online Certificate Status Protocol (OCSP). If the CRL or OCSP endpoints
are not reachable, the certificate is treated as valid and an event is
generated. You can track these events on the Monitor>Events page.
Before you begin
Allow egress connection from the backup/recovery appliance to the OCSP
or CRL endpoints of the certificate using Cloud NAT. By default,
Cloud NAT has access to all the primary and secondary IP ranges of all
subnets in the region of a Virtual Private Cloud (VPC) network. To limit Cloud NAT access to only the subnet where the appliance is deployed, see Specify subnet ranges for NAT.
IAM roles and permissions
The following permissions are required for third-party certificate
operations:
backupdr.managementServers.manageSystem and backupdr.managementServers.viewSystem
for adding or deleting certificates
backupdr.managementServers.viewSystem for viewing certificates
Add a certificate
You can add a private CA issued or self-signed certificate to a third-party
service endpoint using the Manage>Certificates page. For example,
if a vCenter is using a private CA or self-signed certificate, you need to add
the certificate to the management console.
Use the following instructions to add a third-party certificate:
Click Manage>Certificates.
Click Add Certificate.
You can add the certificate in either ways:
Copy the certificate and paste it in the Certificate box.
Click Choose File and upload the certificate.
Click Upload.
Delete a certificate
Use the following instructions to delete a certificate:
Click Manage>Certificates.
Right-click the certificate that you want to remove and select Delete.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis page provides instructions on how to add and manage third-party certificates for the Backup and DR Service.\u003c/p\u003e\n"],["\u003cp\u003eCertificates are validated through Certificate Revocation Lists (CRL) or Online Certificate Status Protocol (OCSP), and if these endpoints are unreachable, the certificate is still treated as valid.\u003c/p\u003e\n"],["\u003cp\u003eAdding a certificate requires either copying and pasting it into the designated box or uploading the certificate file through the \u003cstrong\u003eManage\u003c/strong\u003e > \u003cstrong\u003eCertificates\u003c/strong\u003e page.\u003c/p\u003e\n"],["\u003cp\u003eTo delete a certificate, you must right-click it on the \u003cstrong\u003eManage\u003c/strong\u003e > \u003cstrong\u003eCertificates\u003c/strong\u003e page and confirm the deletion.\u003c/p\u003e\n"],["\u003cp\u003eYou must allow an egress connection from the backup/recovery appliance to the OCSP or CRL endpoints using Cloud NAT for the certificate validation to take place.\u003c/p\u003e\n"]]],[],null,["# Third-party service certificate\n\nThis page explains how to add and manage third-party certificates used by the\nBackup and DR Service.\n\nBackup and DR Service can connect to the external endpoint of a third-party\nservice only if the endpoint has a valid certificate issued by a public\nPublic Certificate Authority (CA) associated to it. If the endpoint doesn't have a\ncertificate, you need to add one to it.\n\nA certificate is validated either through certificate revocation lists (CRL)\nor Online Certificate Status Protocol (OCSP). If the CRL or OCSP endpoints\nare not reachable, the certificate is treated as valid and an event is\ngenerated. You can track these events on the **Monitor** \\\u003e **Events** page.\n\nBefore you begin\n----------------\n\nAllow egress connection from the backup/recovery appliance to the OCSP\nor CRL endpoints of the certificate using [Cloud NAT](/nat/docs/set-up-manage-network-address-translation). By default,\nCloud NAT has access to all the primary and secondary IP ranges of all\nsubnets in the region of a Virtual Private Cloud (VPC) network. To limit Cloud NAT access to only the subnet where the appliance is deployed, see [Specify subnet ranges for NAT](/nat/docs/set-up-manage-network-address-translation#specify_subnet_ranges_for_nat).\n\nIAM roles and permissions\n-------------------------\n\nThe following permissions are required for third-party certificate\noperations:\n\n- `backupdr.managementServers.manageSystem` and `backupdr.managementServers.viewSystem` for adding or deleting certificates\n- `backupdr.managementServers.viewSystem` for viewing certificates\n\nAdd a certificate\n-----------------\n\nYou can add a private CA issued or self-signed certificate to a third-party\nservice endpoint using the **Manage** \\\u003e **Certificates** page. For example,\nif a vCenter is using a private CA or self-signed certificate, you need to add\nthe certificate to the management console.\n\nUse the following instructions to add a third-party certificate:\n\n1. Click **Manage** \\\u003e **Certificates**.\n2. Click **Add Certificate**.\n3. You can add the certificate in either ways:\n\n - Copy the certificate and paste it in the **Certificate** box.\n - Click **Choose File** and upload the certificate.\n4. Click **Upload**.\n\nDelete a certificate\n--------------------\n\nUse the following instructions to delete a certificate:\n\n1. Click **Manage** \\\u003e **Certificates**.\n2. Right-click the certificate that you want to remove and select **Delete**.\n3. Click **Delete** in the confirmation dialog.\n\nWhat's next\n-----------\n\n- [Add vCenter and ESX server hosts](/backup-disaster-recovery/docs/configuration/add-vcenter-host)\n- [Discover and protect VMware VMs](/backup-disaster-recovery/docs/configuration/discover-and-protect-vms)"]]
