Configuring CA signed certificates for vCenter Site Recovery Manager 6.x and later versions
search cancel

Configuring CA signed certificates for vCenter Site Recovery Manager 6.x and later versions

book

Article ID: 343880

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

This article provides steps to configure Certificate Based Authentication using CA signed certificates within your SRM server pair. This article assumes that you have already performed the steps given in Implementing CA signed SSL certificates with vSphere 5.x (2034833) to replace the certificates for vCenter Server components.

Environment

VMware vCenter Site Recovery Manager 8.x
VMware vCenter Site Recovery Manager 6.5.x
VMware vCenter Site Recovery Manager 6.0.x

Resolution

Site Recovery Manager certificate requirements

For information SRM certificate requirements, see the Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager section in the Site Recovery Manager Installation and Configuration guide.

Generating the certificate request

You can generate the certificate signing request using OpenSSL. If you have already installed the SRM Server using the default certificates, OpenSSL is available on the SRM server under C:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin.
 
If you have installed OpenSSL on a Windows machine, you can use this while replacing the vCenter Server certificates:
  1. Create an OpenSSL configuration file for each SRM site using a text editor (change the fields in red to match your environment):

    Note: All entries in the OpenSSL configuration file must be lowercase.

    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req

    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName =     <SRM host FQDN> - must match the SRM server local host address that you specify when you install SRM

    [ req_distinguished_name ]
    0.organizationName =     <your org name> - must not be empty and must contain fewer than 4096 characters. Not required anymore to be the same for both SRM certificates
    organizationalUnitName = <your org unit name> - not required anymore to be the same for both SRM certificates
    commonName = same name for both SRM certificates

    Note: In this example, the files are called protected.cfg and recovery.cfg.
 
  1. Generate the certificate signing request:

    openssl.exe req -new -nodes -out protected.csr -keyout protected-orig.key -config protected.cfg
    openssl.exe req -new -nodes -out recovery.csr -keyout recovery-orig.key -config recovery.cfg
     
  2. Convert the key to the proper RSA format:

    openssl.exe rsa -in protected-orig.key -out protected.key
    openssl.exe rsa -in recovery-orig.key -out recovery.key
     
  3. Provide the .csr file to your certificate authority and receive the signed certificate back.

Converting the signed certificate to PKCS#12 format

After you receive the signed certificate (ending in .cer or .crt) from your certificate authority, it must be converted to the PKCS#12 format.
 
To convert to PKCS#12 format, it requires key files generated while generating the certificate request and the signed certificate:
  1. Copy the signed certificate file to the server where you generated the certificate signing request.
  2. Use OpenSSL to generate the PKCS#12 certificate:

    openssl.exe pkcs12 -export -in protected.cer -inkey protected.key -name "srmprotected" -passout pass:srmserver -out protected.p12
    openssl.exe pkcs12 -export -in recovery.cer -inkey recovery.key -name "srmrecovery" -passout pass:srmserver -out recovery.p12

Replacing the SRM Certificates

You can replace the SRM certificates during SRM installation or after installation.
 

Replacing the SRM certificate during installation

  1. Copy the SRM certificate to your SRM server.
  2. Launch the SRM installer and follow the SRM installation wizard.
  3. In the VMware vCenter Server screen, specify the vCenter Server FQDN.
  4. In the Certificate Type Selection screen, click Use a PKCS#12 certificate file and click Next.
  5. Browse the location of the certificate, select the desired file, and enter the certificate password you chose when generating the p12 file.
  6. Complete the SRM installation wizard.
  7. Repeat these steps on the recovery site.

Replacing the SRM certificate after installation

  1. In the protected site, click Add/Remove programs, click VMware vCenter Site Recovery Manager, and click Change.
  2. Follow the wizard until you reach the Certificate Type Selection screen.
  3. Click Use a PKCS#12 certificate file and click Next.
  4. Browse the location of the certificate, select the desired file, and enter the certificate password you chose when generating the p12 file.
  5. Complete the SRM Modify installation wizard.
  6. Repeat the steps on the recovery site.

Configuring or reconfiguring the SRM site connection

You can replace the SRM certificates during SRM installation or after installation.


Powered by Wolken Software