Understanding Custom SSL Certificates specific requirements in VMware Site Recovery Manager 5.x
search cancel

Understanding Custom SSL Certificates specific requirements in VMware Site Recovery Manager 5.x

book

Article ID: 310616

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

This article provides detailed understanding on the specific requirements when creating custom Site Recovery Manager SSL certificates.

Environment

VMware vCenter Site Recovery Manager 5.5.x
VMware vCenter Site Recovery Manager 5.0.x
VMware vCenter Site Recovery Manager 5.1.x

Resolution

These requirements can be categorized as:

Dependency Requirements between the Local Site Recovery Manager Server and the Local vCenter Server
  • If any of the four servers (Local SRM, Local VC, Remote SRM, Remote VC) is using custom certificates, all four servers must use custom certificates.
  • The root CA that signed the VC server custom certificate must be trusted by both the local SRM server and the local VC server. It must be installed on the local SRM server certificate store and the local VC server certificate store.
  • The root CA that signed the SRM server custom certificate must trusted by both the local VC server and the local SRM server. It must be installed on the local VC server certificate store and the local SRM server certificate store.
  • The root CA that signed the local SRM server custom certificate must be trusted by the vSphere Infrastructure Client. It must be installed on the certificate store on the machine where the VI client is running.
  • The root CA that signed the local VC server custom certificate must be trusted by the VI client. It must be installed on the certificate store on the machine where the VI client is running.
  • The fields in the local SRM custom certificate Subject attribute must match with those same fields in the local VC custom SSL certificate.

    • Organization (O)
    • Organization Unit (OU)

  • The local VC server FQDN, shortname or IP address specified during the installation of SRM (For example: the local VC server on which the local SRM server extension will be registered) must be the same FQDN, shortname or IP address to which the local VC server custom certificate was issued. This can be checked by making sure the local VC server FQDN, shortname, or IP address appear in the local VC custom certificate Subject Alternative Name.
Dependency Requirements between the Local Site Recovery Manager Server and the Remote Local vCenter Server
  • If any of the four servers (Local SRM, Local VC, Remote SRM, Remote VC) are using custom SSL certificates, all four servers must use custom SSL certificates.
  • The root CA that signed the remote VC server custom SSL certificate must be trusted by both the local SRM server and the remote VC server. It must be installed on the local SRM server certificate store and the remote VC server certificate store.
  • The root CA that signed the local SRM server custom SSL certificate must be trusted by both the remote VC server and the local SRM server. It must be installed on the remote VC server certificate store and the local SRM server certificate store.
  • The root CA that signed the remote SRM server custom certificate must be trusted by the VI client. It must be installed on the certificate store on the machine where the VI client is running.
  • The root CA that signed the remote VC server custom certificate must trusted by the VI client. It must be installed on the certificate store on the machine where the VI client is running.
  • The fields in the local SRM custom SSL certificate Subject attribute must match with those same fields in the remote VC custom SSL certificate:

    • Organization (O)
    • Organization Unit (OU)

  • The remote VC server FQDN, shortname or IP address specified during the site pairing configuration must be the same FQDN, shortname or IP address to which the remote VC server custom certificate was issued. This can be checked ensuring the remote VC server FQDN, shortname, or IP address appear in the remote VC server custom certificate Subject Alternative Name.

Individual Site Recovery Manager Server Custom Certificate Requirements

  • SRM custom certificates should not be ROOT CAs .
  • The Subject attribute in the SRM certificate must contain at least the fields:

    • Organization (O)
    • Organization Unit (OU)
    • Common Name (CN)

  • The Subject attribute in the SRM certificate may optionally contain other additional fields such as C, S, Email, or, L.
  • The total length of the Subject attribute value should not exceed 4096 bytes. The Subject attribute value if the combination of all fields of that attribute. For example, if the OU is Acme Corp, the OU is IT and the CN is SRM, the subject attribute value is O=Acme Corp/OU=IT/CN=SRM. It is important to keep track of the length of this attribute value.
  • The SRM certificate must contain a Subject Alternative Name (For example: SAN) attribute. This value of this attribute must contain the FQDN of the SRM server or its IP address or both. It may also contain multiple FQDNs and IP addresses meant for the same SRM server. This value should be unique for each SRM server certificate. For example, if using OpenSSL, the .SAN attribute value can be specified in the OpenSSL configuration file as follows:

    subjectAltName = DNS: SRM1.example.com,DNS: 192.168.0.100,IP: 192.168.0.100

    Note: If you are using a Microsoft CA, see the Microsoft article 931351 for information on how to configure the Subject Alternative Name.

  • When installing SRM with a custom certificate, the Local Host property that the installer shows must match one of the entries in the Subject Alternative Name attribute value of the custom SRM certificate. The Local Host property value that was specified during the installation of SRM is saved in the extension.xml configuration file. This file should never be modified manually:

    C:\Program Files\VMware\VMware vCenter Site Recovery Manager\config\extension.xml

    --- extension.xml
    <config>
    <extension>
    <key>com.vmware.vcDr</key>
    <version>5.5.1</version>
    <description>VMware vCenter Site Recovery Manager Extension</description>
    <servers>
    <server>
    <url>http://srm01.acmecorp.com:8095</url>
    < SRM 'Local Host' property is set to this FQDN when SRM is first installed.</font>

  • The Subject Alternative Name is case sensitive. The SSL certificate must have the same case for the hostname and domain as the SRM server reports when running the hostname or ipconfig /all commands.
  • The SRM certificate Key Usage attributes should the key usages and these only:

    • KeyEncipherment
    • DataEncipherment
    • DigitalSignature

  • The SRM certificate must contain an Enhanced Key Usage attribute whose value should include Client Authentication and Server Authentication. For example, if using OpenSSL, the Enhanced Key Usage attribute value can be specified in the OpenSSL config file as follows:

    extendedKeyUsage = serverAuth, clientAuth

  • Key Encryption should be no less than 1024.
    Note: SRM 4.x or 1.x may have been using certificates with 512 key lengths. If that is the case, SRM certificates needs t be recreated with key length 1024 or more.

Dependency Requirements between the Local Site Recovery Manager Server and the Remote SRM Server

  • The Subject attribute of the two SRM servers custom certificates must match. This means all of the fields of this attribute must match:

    • Organization (O)
    • Organization Unit (OU)
    • Common Name (CN)
    • Other optional fields such as C, S, Email, or, L if they are used.

    Note: Some third party certificate authorities (CAs) may require that the CN be a FQDN of a server before signing a certificate therefore forcing the two SRM servers certs to have different CNs. Such CA policies are in direct conflict with SRM certificate requirements. Such CAs may also have some other restrictions. VMware recommends to consider other alternative CAs that do not have these policies when signing SRM custom certificates.


Additional Information

VMware Site Recovery Manager 5.x のカスタム SSL 証明書の固有の要件について