Some of you may have noticed a certificate validation error when using the Automatic Update function in the Veeam Backup for Microsoft 365 console. The error is due to a certificate expiring (which is needed to validate server updates). There is no cause for concern; the certificate was not compromised, and the option to manually patch the server was not interrupted. This certificate has since been updated, but a manual patch is needed to get the new certificate for validation. For those who want the quick fix, head over to KB4341. The rest of this article will cover some good-to-know information about certificates and some lessons learned.
What is PKI
We commonly hear the term “certificates” with applications or websites and understand this is generally associated with security but may not understand what role certificates play. To start, let's talk about what a certificate is. A digital certificate is used to initiate an information exchange in two major parts; first, by saying, “ you are who you say you are,” and second, by agreeing on the terms of the communication. This data exchange is commonly referred to as Public Key Infrastructure, or PKI, and is the agreed-upon way to initiate secure communication with resources over a network and the internet.
The first part of this equation is around proving your identity, and this is done by exchanging a message only you (the recipient) can decipher. The magic of this exchange is completed with asymmetrical encryption, meaning that a data message encrypted with one digital key (referred to as the public key) can only be deciphered with a second digital key (referred to as the private key). This key generation is done with long, complex math involving prime numbers where only one solution (private key) can solve the problem. Since the recipient should be the only entity with the private key, you can verify that is the intended target for the data exchange.
The second major part of the equation is to determine how the bulk transfer of data will be exchanged. There are several reasons behind this, but a large reason is the asymmetrical encryption used for the initial exchange takes a while to decipher and is processor heavy. Therefore, if a large amount of data needs to be sent, we want to use something less resource intensive, like symmetrical encryption. The first message sent to the recipient you want to communicate with will contain several critical pieces of information. The package will contain things like the highest and lowest form of symmetrical encryption supported and your public key so no one else can read the message back on how the data will be exchanged.
Why certificate validation is needed
When reading about PKI, it is plain to see that this exchange can be compromised easily if misused or not monitored. Luckily there are ways to validate both public and private certificates. By using a Certificate Authority (CA) to validate the certificate's information, we can ensure that the data exchange is secure. A certificate is filled with information and has a thumbprint to validate with the CA that the information on the certificate matches what it should be. Imagine this certificate like your ID card has a number on it that links to a database with your personal information. If someone stole your card and tried to forge their information, they would be caught as soon as someone tried to validate the ID.
The public certificate authorities have stringent criteria in order to validate a company to register a certificate with them. They keep a running list of active certificates and ones known to be compromised. Active certificates must continue to validate with the certificate authority in order to renew their expiration date. If a certificate key is compromised (meaning the private key was stolen or insecure), then the certificate enters what is known as the certificate revocation list or CRL. If you ever get a warning that the site or application cannot be validated because it is on the revocation list, do NOT proceed.
Lessons learned updating certificates
As stated above, certificates go through renewal cycles and get updated in this process with new expiration dates. If there is nothing wrong with the certification and the private key is still secure, it simply gets a new expiration date. This process can take some time with the certificate authority; once the renewal paperwork is complete, the updated certificates are pushed out.
An expired certificate does not necessarily mean the certificate is compromised; that’s what the revocation list is for. Working with an expired certificate is like getting into an elevator and noticing the “service by” date has passed. This doesn’t mean the elevator won't get you securely to the right floor. However, this is a judgment call each person needs to make. If the building is not compromised or untrustworthy, you may choose to take the ride. In the case of Veeam software, the expiration date is part of the validation check and will fail the communication exchange. Veeam has taken a firm stance on security and will continue to do so.
Correct the certificate error
For anyone who has run into the certificate error, the patch details can be found in KB4341. This error is only received when using the auto-update wizard in the console and can work around by manually downloading the patch from the website. Veeam also provides a hash check next to the file that was downloaded. This hash can be used to verify the download is complete and not compromised. For assistance installing the patch, feel free to contact support.