Knowledge Base

If you have installed SSL certificates issued by a trusted certificate authority (CA) on the vCenter servers that support SRM, the certificates you create for use by SRM must meet the following criteria:

• The certificates used by both members of an SRM server pair (a protected site and a recovery site) must have a Subject Name value constructed from:
  • A Common Name (CN) attribute, whose value must be the same for both members of the pair. A string such as “SRM” is appropriate here.
  • An Organization (O) attribute, whose value must be the same as the value of this attribute in the supporting vCenter server’s certificate.
  • An Organizational Unit (OU) attribute, whose value must be the same as the value of this attribute in the supporting vCenter server’s certificate.

Both members of an SRM server pair must use the same values for CN, O, and OU.

The combined length of the subject name cannot exceed 80 bytes. The Subject Name includes the values you supplied for CN, O, and OU, as well as a description (such as “CN=”), for example, if you entered “SRM”, “Example Corp.”, and “example.com” as the values for CN, O, and OU respectively, the actual Subject Name would look like this:

O=Example Corp/OU=example.com/CN=SRM

SRM requires that all of these attributes be present in the Subject Name. Your certificate may include additional attributes in the Subject Name, but the set of included attributes and their values must be identical for both certificates. The number of bytes in this string is determined by the encoding of the characters.  Because some characters might be encoded as more than one byte, you should verify the length of the encoded Subject Name by using the following command:

openssl.exe x509 -in path-to-certificate-in-PEM-format -subject

The encoding must be the same for both certificates.

• For releases earlier than SRM 4.0, the certificate used by each member of an SRM server pair must include a “Subject Alternative Name” attribute whose value is the fully-qualified domain name of the vCenter server that supports it. (This value will be different for each member of the SRM server pair.) If you are using an openssl CA, modify the openssl configuration file to include a line like the following:

subjectAltName = DNS: vc1.example.com

If you are using a Microsoft CA, refer to http://support.microsoft.com/kb/931351 for information on how to set the Subject Alternative Name.

• For SRM 4.0 and later releases, the certificate used by each member of an SRM server pair must include a “Subject Alternative Name” attribute whose value is the fully-qualified domain name of the SRM server host. (This value will be different for each member of the SRM server pair.) If you are using an openssl CA, modify the openssl configuration file to include a line like the following:

subjectAltName = DNS: SRM1.example.com

• The certificate used by each member of an SRM server pair must include an “Extended Key Usage” attribute whose value is “serverAuth, clientAuth”. If you are using an openssl CA, modify the openssl configuration file to include a line like the following:

extendedKeyUsage = serverAuth, clientAuth