This article provides steps to configure Certificate Based Authentication using CA signed certificates within your VR/SRM server pair.
Photon based OS - VMware vSphere Replication and Site Recovery Manager
If you face any issue to generate certificate from GUI to present to certificate authority, you can perform the same from CLI.
1. Create an OpenSSL configuration file for each SRM/VR site using a text editor
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: srm/vr.fqdn.com, DNS:srm/vr, IP:IP Address
[ req_distinguished_name ]
0.organizationName = specify a organizationName
organizationalUnitName = specify a organizationalUnitName
commonName = specify a commonName
Note: In this example, the files are called protected-vr.cfg , recovery-vr.cfg, protected-srm.cfg & recovery-srm.cfg
2. Generate the certificate signing request:
openssl req -new -nodes -out protected-vr.csr -keyout protected-vr-orig.key -config protected-vr.cfg
openssl req -new -nodes -out recovery-vr.csr -keyout recovery-vr-orig.key -config recovery-vr.cfg
openssl req -new -nodes -out protected-srm.csr -keyout protected-srm-orig.key -config protected-srm.cfg
openssl req -new -nodes -out recovery-srm.csr -keyout recovery-srm-orig.key -config recovery-srm.cfg
3. Convert the key to the proper RSA format:
openssl rsa -in protected-vr-orig.key -out protected-vr.key
openssl rsa -in recovery-vr-orig.key -out recovery-vr.key
openssl rsa -in protected-srm-orig.key -out protected-srm.key
openssl rsa -in recovery-srm-orig.key -out recovery-srm.key
4. Provide the .csr file (protected-vr.csr , recovery-vr.csr, protected-srm.csr & recovery-srm.csr) to your certificate authority and receive the signed certificate back.
5. After you receive the signed certificate (ending in .cer or .crt) from your certificate authority, it must be converted to the PKCS#12 format.
To convert to PKCS#12 format, it requires key files generated while generating the certificate request and the signed certificate:
openssl pkcs12 -export -in protected-srm.cer -inkey protected-srm.key -name "srmprotected" -passout pass:password -out protected-srm.p12
openssl pkcs12 -export -in recovery-srm.cer -inkey recovery-srm.key -name "srmrecovery" -passout pass:password -out recovery-srm.p12