This article provides steps to configure Certificate Based Authentication using CA signed certificates within your SRM server pair.

VMware Site Recovery Manager 6.1.x
VMware Site Recovery Manager 6.x
VMware Site Recovery Manager 6.0.x
VMware Site Recovery Manager 8.2.x
VMware Site Recovery Manager 6.5.x
VMware Site Recovery Manager 8.1.x
VMware Site Recovery Manager 8.3.x

Site Recovery Manager certificate requirements

Site Recovery Manager places some requirements on the contents of those certificates, but the requirements in this release are less strict than in 5.x releases of Site Recovery Manager. Although the requirements are the same since SRM 6.0, the Site Recovery Manager certificate must meet these requirements outlined in the articles below:

SRM 8.4 - Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager 8.4
SRM 8.3 - Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager 8.3
SRM 8.2 - Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager 8.2
SRM 8.1 - Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager 8.1
SRM 6.5 - Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager 6.5
SRM 6.1 - Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager 6.1
SRM 6.0 - Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager 6.0

IMPORTANT Public CAs stopped issuing SSL/TLS certificates that contain internal server names or reserved IP addresses in November 2015. CAs will revoke SSL/TLS certificates that contain internal server names or reserved IP addresses on 1st October 2016. To minimize future disruption, if you use SSL/TLS certificates that contain internal server names or reserved IP addresses, obtain new, compliant certificates from a private CA before 1st October 2016.

• For information about the deprecation of internal server names and reserved IP addresses, see https://cabforum.org/internal-names/.
• For information about how the deprecation of internal server names and reserved IP addresses affects VMware products, see Frequently asked questions about Public Certificate Authority certificates with Internal Server Names and VMware Products (2134735).

 

Generating the certificate request

You can generate the certificate signing request using OpenSSL. If you have already installed the SRM Server using the default certificates, OpenSSL is available on the SRM server under C:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin.
 
If you have installed OpenSSL on a Windows machine, you can use this while replacing the vCenter Server certificates:

1. Create an OpenSSL configuration file for each SRM site using a text editor (change the fields in red to match your environment):
   
   Note: All entries in the OpenSSL configuration file must be lowercase.
   
   [ req ]
   default_bits = 2048
   default_keyfile = rui.key
   distinguished_name = req_distinguished_name
   encrypt_key = no
   prompt = no
   string_mask = nombstr
   req_extensions = v3_req
   
   [ v3_req ]
   basicConstraints = CA:FALSE
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = DNS: srm.fqdn.com
   
   [ req_distinguished_name ]
   0.organizationName = specify a organizationName or leave blank
   organizationalUnitName =  specify a organizationalUnitName or leave blank
   commonName = specify a commonName or leave blank
    
   Note: In this example, the files are called protected.cfg and recovery.cfg.

2. Generate the certificate signing request:
   
   openssl.exe req -new -nodes -out protected.csr -keyout protected-orig.key -config protected.cfg
   openssl.exe req -new -nodes -out recovery.csr -keyout recovery-orig.key -config recovery.cfg
    
3. Convert the key to the proper RSA format:
   
   openssl.exe rsa -in protected-orig.key -out protected.key
   openssl.exe rsa -in recovery-orig.key -out recovery.key
    
4. Provide the .csr file to your certificate authority and receive the signed certificate back.

Converting the signed certificate to PKCS#12 format

After you receive the signed certificate (ending in .cer or .crt) from your certificate authority, it must be converted to the PKCS#12 format.
 
To convert to PKCS#12 format, it requires key files generated while generating the certificate request and the signed certificate:

1. Copy the signed certificate file to the server where you generated the certificate signing request.
2. Use OpenSSL to generate the PKCS#12 certificate:
   
   openssl.exe pkcs12 -export -in protected.cer -inkey protected.key -name "srmprotected" -passout pass:srmserver -out protected.p12
   openssl.exe pkcs12 -export -in recovery.cer -inkey recovery.key -name "srmrecovery" -passout pass:srmserver -out recovery.p12

Replacing the SRM Certificates

You can replace the SRM certificates during SRM installation or after installation.
 

Replacing the SRM certificate during installation

1. Copy the SRM certificate to your SRM server.
2. Launch the SRM installer and follow the SRM installation wizard.
3. In the VMware vCenter Server screen, specify the vCenter Server FQDN.
4. In the Certificate Type Selection screen, click Use a PKCS#12 certificate file and click Next.
5. Browse the location of the certificate, select the desired file, and enter the certificate password you chose when generating the p12 file.
6. Complete the SRM installation wizard.
7. Repeat these steps on the recovery site.

Replacing the SRM certificate after installation

1. In the protected site, click Add/Remove programs, click VMware vCenter Site Recovery Manager, and click Change.
2. Follow the wizard until you reach the Certificate Type Selection screen.
3. Click Use a PKCS#12 certificate file and click Next.
4. Browse the location of the certificate, select the desired file, and enter the certificate password you chose when generating the p12 file.
5. Complete the SRM Modify installation wizard.
6. Repeat the steps on the recovery site.

Configuring or reconfiguring the SRM site connection

After installing the SRM server on both sites, you must configure the connection between SRM sites. If SRM was previously configured you must repair the connection between sites after replacing the default certificates with CA signed certificates.

To repair the sites:

1. Log in to vCenter Server and access the SRM plugin.
   • For SRM 6.x - In the Sites navigation pane, right click an SRM site and select Reconfigure Site Pairing.
   • For SRM 8.x - Open Site Recovery H5 UI, select SRM Pair, select Actions and select Reconfigure Site Pair.
2. Enter the FQDN of the remote Platform Service Controller and adjust the port, if necessary (this field may be populated for you already).
3. Verify that the process completes successfully.