Resolve certificate failures

If an agent reports a certificate failure, you must resolve the failure before backups and restores can continue. Certificate failures are summarized in the Current Snapshot on the Dashboard and shown on the Computers page in Portal. See Monitor backups and computers using the Current Snapshot and View computer and job status information. Agents can report certificate failures if they support certificate pinning, a security feature that is designed to ensure that agents are connecting to legitimate vaults and environments.

A certificate failure can occur when:

• An agent tries to connect to a version 8.60 or later vault where the certificate pinning security feature is enabled. Beginning with Windows Agent 8.90, Linux Agent 8.90, vSphere Recovery Agent 8.87 and Hyper-V Agent 9.00, when an agent tries to connect to the vault (e.g., to run a backup or restore), it checks whether the public key of the vault's TLS certificate is the same as when the agent previously connected to the vault. If the public key of the vault certificate is different, the agent reports a certificate failure and will not connect to the vault.

• A vSphere Recovery Agent (VRA) tries to connect to the vCenter Server or ESXi host that it protects. Beginning in version 8.87, when the VRA tries to connect to a vSphere environment, it checks whether the public key of the vSphere environment certificate is the same as when the VRA previously connected to the vSphere environment. If the public key of the vSphere environment certificate is different, the VRA reports a certificate failure and will not connect to the vCenter or ESXi host.

If a certificate failure is reported, please contact your IT security staff or service provider to determine whether the certificate change was expected or whether further investigation is required.

If the certificate change was expected, follow the steps below to re-pin the certificate. When you re-pin a certificate, the agent securely records the new public key of the certificate. The same procedure is used to re-pin both vault and vSphere environment certificates so that backups and restores can continue.

To resolve certificate failures:

1. On the navigation bar, click Computers. The Computers page shows registered computers.

2. Select the check box for each computer with a certificate failure that you want to resolve.

   Note: Only select computers that have the Certificate failure status, or the Re-pin certificate action will not be available.

3. In the Actions list, click Re-pin certificate.

4. In the confirmation dialog box, click Yes.

5. In the Success message box, click Okay.