5 Replies Latest reply on Dec 7, 2011 5:37 AM by brkirby

    Replace SRM certificates with Windows 2008 CA Certs

    brkirby Novice

      I've recently Installed Site Recovery Manager 4.1.  I have set up vCenter with Trusted Certificates from my Windows CA.  I'm trying to do the same for Site Recovery Manager, but I haven't found a step-by-step process.  I've looked through the VMware SRM requirements document (http://KB&cmd=displayKC&externalId=1008390), but it is a little to vague for me. 

       

      I was hoping that someone had some step-by-step instructions, or could point me to instructions, for how to set up a Certificate for Site Recovery Manager that is signed by a windows 2008 CA, or .

       

      Any help  would be greatly appreciated. 

       

       

       

      Thanks,

       

       

       

      Brian

        • 1. Re: Replace SRM certificates with Windows 2008 CA Certs
          mal_michael Master vExpert

           

          The following document may be helpful

           

           

           

           

          The document talks about SRM 1, but it is correct for SRM 4 too. The only change in SRM 4 is that Subject Alternative Name should be FQDN of the SRM server.

           

           

          HTH.

           

           

          Let me know if you need further assistance.

           

           

           

           

           

          Michael.

           

           

           

           

           

          1 person found this helpful
          • 2. Re: Replace SRM certificates with Windows 2008 CA Certs
            brkirby Novice

             

            Thank you Michael.  I have reviewed this document before and although it was helpful, I was not able to get things to work. 

             

             

            What I really need are instructions on how to do one of the following to get my SRM certificates:

             

            • create a CSR with openssl and process the request with my Windows 2008 CA. or

            • create a CSR on my Windows 2008 CA and then process the request on my Windows 2008 CA

             

             

            I've tried both to no avail.  for the certs that I was able to issue on my 2008 CA, I get the following error message when attempting to connect the protected site with the recovery site:  "Local and remote servers are using different certificate trust methods", which is listed in that doc under troubleshooting.  I may have to try again to get more specifics.  I was hoping that someone out there had already done this and could share their steps. 

             

             

            Thanks,

             

             

            Brian

             

             

            • 3. Re: Replace SRM certificates with Windows 2008 CA Certs
              twistedf8 Novice

              After spending hours trying to get SRM to accept the Certs I was creating using my Microsoft CA; I have come up with the following steps:

               

              When creating Certificates for vCenter you need to make sure you create them exactly the same.  So the Subject in the Cert should read like the following:

               

              CN = vcenter.domain.com

              OU = Department Name

              O = Company Name

              L = City

              S = State (Full State name)

              C = Country (Two letter Abrevation)

               

              Now when creating your SRM certificate you have to use both Server Authentication and Client Authentication,  You can create special Certificate Template for that on your certificate Authority server.   The following link describes how to complete this step:

               

              Microsoft Certificate Template

               

              Now when creating the Certificates for SRM you need to have the following subject in the cert:

               

              CN = SRM

              OU = Department Name (same as vcenter certificate)

              O = Company Name (same as vcenter certificate)

              L = City (same as vcenter certificate)

              S = State (same as vcenter certificate)

              C = Country (same as vcenter certificate)

               

              Now comes the part that I struggled with with the most,  SRM requires you to have a subject alternative name for your certificate that is the FQDN for the server you are creating the certificate for; But if you have multiple Subject Alternative names for your Virtual Center cert using FQDN and host name then you need to do the same for SRM:  For an example:

               

              san:dns=srm01.domain.com&dns=srm01

               

              If you miss this step SRM will not validate your certificate.

               

              Here is a couple of articles that I found help when working through this issue:

               

              replacing virtual center certificate

               

              How to add subject alternative name

              1 person found this helpful
              • 4. Re: Replace SRM certificates with Windows 2008 CA Certs
                brkirby Novice

                Thaks for the assistance.  I ended up just reinstalling vcenter with the default certs, then installing SRM with the default certs with VMware, Inc. as the O and the OU.  I think we may have an issue with our Windows 2008 CA.

                • 5. Re: Replace SRM certificates with Windows 2008 CA Certs
                  brkirby Novice

                  After trying to deploy a new Certificate template recently, I realized why this process didn't work.  My windows 2008 Certificate Authority is running on windows 2008 Standard.  In order to deploy a new certificate template, you need a Certificate Authority running Enterprise edition.  I found this caveat while trying to create a Cert for an SCCM server using this article:  http://technet.microsoft.com/en-us/library/cc872789.aspx

                   

                  Here's a quote from the article:
                  "Although you can configure certificate templates with Windows Server Standard Edition and Active Directory Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008."

                   

                  At least now I know why it didn't work.