Certificate's Private Key is Empty

Have you tried to create a new Self-Signed one to see if that works?  There is something off with the PFX and why you are getting the error even though the key is there.

Try importing the PFX to the Cert Manager first and then just selecting it from the wizard above to see if that works.

Unfortunately I am not able to use a Self-Signed cert in this environment. It must be signed with a valid CA. I have imported it to my local Windows Personal cert store first and that is where I am selecting it from the wizard. I have also tried installing it from the wizard using the direct option to select the .pfx and enter the password but it produces the same result and error message.

Unsure what to suggest at this point other than getting in touch with Support via a ticket.

There is obviously something wrong with the cert that Veeam is not liking.  Yes, the PFX contains the cert plus key, but something with the key file is off that it just does not like.

Sorry, I cannot suggest anything better.

Hi ​@jrhaakenson,

I cannot provide definitive guidance on this issue, as it relates specifically to VBR. Who is the issuer of this certificate?

I have encountered similar issues with other applications, where the private key was present and appeared to be correctly associated with the certificate, but the application still failed to use it properly. In some cases, the issue was resolved by reissuing the certificate from a different certificate authority (CA).

It may be worth testing with a certificate from another issuer to determine whether the problem is certificate-related.

It’s issued from a DoD CA. We can’t use a different CA in our environment. Also our configured vCenter server must use DoD CAs and certificates as well. My private key is an Elliptic Curve (EC) key and not an RSA key. But this shouldn’t matter. Veeam should support an EC key because you must use Elliptic Curve Cryptography (ECC) in order to apply the Basic Constraints extension which is required by Veeam for the Veeam 13.0 upgrade. We are running Veeam Backup and Replication 12.3.2.4465 which as far as I can tell from researching it supports EC keys.

I still think this is one for Support to help with.

I’ll submit a support request.

I know this isn't the optimal solution but easier to get their help to see where things went wrong and get it fixed.

Let us know how it goes and the solution.

Great! If I may ask, can you confirm whether this certificate has previously been consumed successfully by VBR?

Not this specific certificate no. We have successfully utilized previous DoD RSA certs with private keys on VBR, but in our attempt to upgrade to VBR 13.0 we require a signed CA cert with Basic Constraints. It has been a challenge to acquire this cert. We finally acquired a signed cert with Basic Constraints but now it won’t install on VBR. Question does anyone know if the VBR server cert Key Usage requires Key Encipherment? This is one of the only deltas I see between our current in-use RSA cert and our new EC Basic Constraints cert. The working cert has Key Usage Digital Signature and Key Encipherment and our new cert has Key Usage Digital Signature and Key Agreement.

Actually disregard my last. I don’t think the Key Usage details affect installing the cert. Honestly we have a different VBR server using a Self-Signed cert that we are also unable to install a normal RSA .pfx cert. Come to think of it, we have only been successful in utilizing a signed CA .pfx cert if the .pfx is installed in the server Personal store when the server is first deployed and VBR is installed new to utilize the cert. I don’t recall ever being successful in being able to change the VBR cert in the console GUI after it has already been deployed.

You may need to get the new one to match the fields with the RSA one.  You could at least test that with a new cert no?

You should be able to do this for sure.  Hopefully support can get to the bottom of it for you.