Skip to main content



How can we help you?


Druva Documentation

Enhance security with a signed SSL certificate

Better Help Ahead

Redirecting to our improved help portal. If you're not redirected, click here.

Enterprise Workloads Editions: File:/tick.png Business File:/cross.png Enterprise File:/tick.png Elite


Hybrid Workloads agent ships with a self-signed SSL certificate.  The communication between the Backint executable and Hybrid Workloads agent   takes place using a secured TLS. However, the Backint executable cannot verify the self-signed certificate.

For enhanced security, you can use your own signed SSL certificates. The benefit of using a signed certificate is that the Backint executable can verify the SSL certificate, which cannot be done for the self-signed certificate.

Prerequisites Edit section

You must have the SSL certificate and the key file for your domain name.

The SSL certificate file typically has a file extension of .crt, and the key file typically has a file extension of .key.

Contact your network administrator for these files.

Additionally, the root-CA certificate of the certificate authority (CA) must be added to the trust pool of the SAP HANA  server.

Before you continue, take note of the path where you saved the certificate, the key file, and the rootCA file.

Procedure Edit section

Log in to the SAP HANA  server, open a terminal, and follow these steps: 

  1. Open the following file in any editor:


  1. Locate the following flags and set the value as follows:

insecureSkipVerify: false

useCustomCerts: true

See the following table for these flags' possible values and impact.

Value of Flag


insecureSkipVerify: true

(Default value)

 Even though the communication between Backints and Hybrid Workloads agent is over SSL, the Hybrid Workloads agent certificate is not verified.  

insecureSkipVerify: false

The most secure setting where the communication between the  Backint executable and Hybrid Workloads agent uses SSL and the SAP HANA agent certificate is verified. 

useCustomCACerts: false

(Default value)

You can use the default self-signed certificates shipped in Hybrid Workloads agent to enable TLS

useCustomCACerts: true

This option enables custom certificates instead of the default self-signed certificate used by Hybrid Workloads agent.

  1. Locate the keys customServerCert, customServerKey, and customCAPemFile.  Enter the complete path of the path where you saved the certificate, the key file, and the rootCA file, respectively, as follows: 

customServerCert: /full/path/to/certificate.crt
customServerKey: /full/path/to/private.key

customCAPemFile: /full/path/to/rootCA.pem

  1. Finally, save the configuration file and restart the Hybrid Workloads agent service as follows:
    systemctl restart Druva-EnterpriseWorkloads.service