Generating the certificate request

1. Create an OpenSSL configuration file for each SRM site using a text editor (change the fields in red to match your environment):
   
   Note: All entries in the OpenSSL configuration file must be lowercase.
   
   [ req ]
   default_bits = 2048
   default_keyfile = rui.key
   distinguished_name = req_distinguished_name
   encrypt_key = no
   prompt = no
   string_mask = nombstr
   req_extensions = v3_req
   
   [ v3_req ]
   basicConstraints = CA:FALSE
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = DNS: srm, IP: SRM IP, DNS: srm.fqdn.com

• In this example, the files are called protected.cfg and recovery.cfg.
• SRM has a special requirement for a CN field that matches between both certificates in order for site pairing to complete. This is different from the usual practice of specifying the server identity. SRM uses the Subject Alternative Name field to verify the server's identity.
   

1. Generate the certificate signing request:
   
   openssl.exe req -new -nodes -out protected.csr -keyout protected-orig.key -config protected.cfg
   openssl.exe req -new -nodes -out recovery.csr -keyout recovery-orig.key -config recovery.cfg
    
2. Convert the key to the proper RSA format:
   
   openssl.exe rsa -in protected-orig.key -out protected.key
   openssl.exe rsa -in recovery-orig.key -out recovery.key
    
3. Provide the .csr file to your certificate authority and receive the signed certificate back.

Converting the signed certificate to PKCS#12 format

1. Copy the signed certificate file to the server where you generated the certificate signing request.
2. Use OpenSSL to generate the PKCS#12 certificate:
   
   openssl.exe pkcs12 -export -in protected.cer -inkey protected.key -name "srmprotected" -passout pass:srmserver -out protected.p12
   openssl.exe pkcs12 -export -in recovery.cer -inkey recovery.key -name "srmrecovery" -passout pass:srmserver -out recovery.p12

Replacing the SRM Certificates

Replacing the SRM certificate during installation

1. Copy the SRM certificate to your SRM server.
2. Launch the SRM installer and follow the SRM installation wizard.
3. In the VMware vCenter Server screen, specify the vCenter Server FQDN.
4. In the Certificate Type Selection screen, click Use a PKCS#12 certificate file and click Next.
5. Browse the location of the certificate, select the desired file, and enter the certificate password you chose when generating the p12 file.
6. Complete the SRM installation wizard.
7. Repeat these steps on the recovery site.

Replacing the SRM certificate after installation

1. In the protected site, click Add/Remove programs, click VMware vCenter Site Recovery Manager, and click Change.
2. Follow the wizard until you reach the Certificate Type Selection screen.
3. Click Use a PKCS#12 certificate file and click Next.
4. Browse the location of the certificate, select the desired file, and enter the certificate password you chose when generating the p12 file.
5. Complete the SRM Modify installation wizard.
6. Repeat the steps on the recovery site.

Configuring or reconfiguring the SRM site connection

1. Log in to vCenter Server and access the SRM plugin.
2. In the Sites navigation pane, click Summary and click Configure Connection (located in the top right corner).
3. Enter the FQDN of the remote vCenter server and adjust the port, if necessary (this field may be populated for you already).
4. Verify that the process completes successfully without prompting for a username or password or displaying any certificate warnings.
   
   Note: You may see certificate warnings after the pairing completes. If you have deployed the vSphere Replication appliances and they are still using default certificates. These can be safely ignored.