#1 Global Leader in Data Resilience

Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. Certificate doesn't support 'digitalSignature' KeyUsage

KB ID: 4564
Product: Veeam Backup & Replication | 12 | 12.1
Published: 2024-04-02
Last Modified: 2024-04-02
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Challenge

Attempting to deploy the Veeam Plug-in for VMware vSphere Client through Veeam Backup Enterprise Manager fails with the error:

Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. Certificate doesn't support 'digitalSignature' KeyUsage

Cause

The certificate in use by Veeam Backup Enterprise Manager has a KeyUsage parameter defined, but the parameter Digital Signature is not specified.

 

Default Veeam Backup Enterprise Manager "Veeam Self-Signed Certificate" History
  • In Veeam Backup Enterprise Manager 10a and older,  the self-signed certificate generated by the installer was created with the following:
    KeyUsage: Key Encipherment, Data Encipherment
  • Starting in Veeam Backup Enterprise Manager 11, the self-signed certificate generated by the installer has no KeyUsage specified, meaning all uses are accepted.

This means that if a Veeam Backup Enterprise Manager deployment was initially installed with version 10a or earlier and then upgraded to newer versions using the same self-signed certificate, the issue will occur.

Solution

To resolve this issue, either generate a new Veeam self-signed certificate or import a new certificate you've generated, and then assign the new certificate to the site within IIS Manager.

Generate New Enterprise Manager Self-Signed Certificate

Script Minimum OS Requirement

The scripts below require at least Microsoft Windows Server 2016 or Windows 10.

In Older OS versions, the cmdlet New-SelfSignedCertificate does not accept the parameters these scripts use.

This script will create a new self-signed certificate with all the same parameters as one created by the Veeam Backup Enterprise Manager (v12.1) installer.

On the machine where Veeam Backup Enterprise Manager is installed, open an Administrative PowerShell Console and run the following PowerShell script:

#Generate Self-Signed Certificate
$params = @{
DnsName = [System.Net.Dns]::GetHostByName("").HostName
CertStoreLocation = "Cert:\LocalMachine\My"
FriendlyName = "$(Get-Date -Format 'yyMMdd') Veeam Self-Signed Certificate"
Subject = 'CN=' + [System.Net.Dns]::GetHostByName("").HostName
KeyUsage = @("None")
NotAfter = (Get-Date).AddYears(10)
}
$cert = New-SelfSignedCertificate @params

#Add the certificate to the Trusted Root Certification Authorities
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store('Root', 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()

Assigning the New Certificate to the Site

With a new certificate imported or generated using the steps above, perform the following steps to assign that certificate to the site within IIS Manager.

  1. Open Internet Information Service (IIS) Manager (InetMgr.exe).
  2. Expand the node for the server's name.
  3. Expand the Sites node.
  4. Right-click on the site named VeeamBackup.
  5. From the context menu, select Edit Bindings...
Edit Bindings BEM
  1. In the Site Bindings window, double-click the https entry.
edit https
  1. Using the SSL certificate drop-down box, select the new certificate.

    Note: The self-signed certificate generation scripts on this KB add a datestamp prefix to the new certificate's name for easy identification.
select new cert
  1. After selecting the new SSL certificate, click OK to close the https site binding settings, then close the Site Bindings window with the close button.
  2. Right-click the site, and from the Manage Website sub-menu, select Restart.
restart site

More Information

If the Veeam Plug-in for VMware vSphere Client continues to have issues deploying, please create a Veeam Support case for assistance.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.