Configuring CA signed certificates for vSphere Replication or SRM based on Photon OS through Command line.
search cancel

Configuring CA signed certificates for vSphere Replication or SRM based on Photon OS through Command line.

book

Article ID: 375573

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

This article provides steps to configure Certificate Based Authentication using CA signed certificates within your VR/SRM server pair.

Environment

Photon based OS - VMware  vSphere Replication and Site Recovery Manager

 

Cause

If you face any issue to generate certificate from GUI to present to certificate authority, you can perform the same from CLI.

Resolution

1. Create an OpenSSL configuration file for each SRM/VR site using a text editor 

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: srm/vr.fqdn.com, DNS:srm/vr, IP:IP Address

[ req_distinguished_name ]
0.organizationName = specify a organizationName
organizationalUnitName =  specify a organizationalUnitName
commonName = specify a commonName

Note: In this example, the files are called protected-vr.cfg , recovery-vr.cfg, protected-srm.cfg & recovery-srm.cfg

2. Generate the certificate signing request:


openssl req -new -nodes -out protected-vr.csr -keyout protected-vr-orig.key -config protected-vr.cfg
openssl req -new -nodes -out recovery-vr.csr -keyout recovery-vr-orig.key -config recovery-vr.cfg

 

openssl req -new -nodes -out protected-srm.csr -keyout protected-srm-orig.key -config protected-srm.cfg
openssl req -new -nodes -out recovery-srm.csr -keyout recovery-srm-orig.key -config recovery-srm.cfg

 

3. Convert the key to the proper RSA format:


openssl rsa -in protected-vr-orig.key -out protected-vr.key
openssl rsa -in recovery-vr-orig.key -out recovery-vr.key

openssl rsa -in protected-srm-orig.key -out protected-srm.key
openssl rsa -in recovery-srm-orig.key -out recovery-srm.key

 

4. Provide the .csr file (protected-vr.csr , recovery-vr.csr, protected-srm.csr & recovery-srm.csr) to your certificate authority and receive the signed certificate back.

Converting the signed certificate to PKCS#12 format

5. After you receive the signed certificate (ending in .cer or .crt) from your certificate authority, it must be converted to the PKCS#12 format.
 
To convert to PKCS#12 format, it requires key files generated while generating the certificate request and the signed certificate:

  1. Copy the signed certificate file to the server where you generated the certificate signing request.
  2. Use OpenSSL to generate the PKCS#12 certificate:

    openssl pkcs12 -export -in protected-vr.cer -inkey protected-vr.key -name "vrprotected" -passout pass:password -out protected-vr.p12
    openssl pkcs12 -export -in recovery-vr.cer -inkey recovery-vr.key -name "vrrecovery" -passout pass:password -out recovery-vr.p12

openssl pkcs12 -export -in protected-srm.cer -inkey protected-srm.key -name "srmprotected" -passout pass:password -out protected-srm.p12
openssl pkcs12 -export -in recovery-srm.cer -inkey recovery-srm.key -name "srmrecovery" -passout pass:password -out recovery-srm.p12

 

Replace the VR/SRM Certificates from GUI

  1. Log in to the Site Recovery Manager Appliance Management Interface as admin.
  2. Click Certificates and then click Change.
  3. Select a certificate type - Use a PKCS #12 certificate file
    1. Click Browse, navigate to the certificate file, and click Open. The certificate file must contain exactly one certificate with exactly one private key matching the certificate.
    2. Enter the private key encryption password.