Hi, I'm trying to create certificate for SRM but I've some difficulties.

I'm creating those with a windows CA.

SRM is installed in the same server where vCenter is.

The vcenter certificate have fqdn as CN, I've defined only OU, O, S, C fields (and they're short because I've read a problem can be SubjectName >80 chars. I've added to this a SAN dns with hostname without domain (to access the vcenter with hostname only without getting certificate errors).

SRM certificate are generated starting with the same private key, The only things that change is the SAN with dns=fqdn of SRM server (that is the same of vcenter server in my case). They have CN=SRM and the OU/O/S/C field exactly equal to the vcenter certificate.

Enhanced Key Usage is :Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2).

I've used the same Enhanced Key Usage also for vcenter server certificate (can this be a problem?).

Installation completed without errors on the 2 sites. I log in to SRM and when I try to pair the sites I get an error :

Error:SRM server 'KUPIT-Rome' cannot do a pair operation. The reason is: Permission to perform this operation was denied.

See the error stack for details on the cause of this problem.
Error Stack
Call "DrRemoteSiteManager.ProbeDrConnection" for object "DrRemoteSiteManager" on Server "itromis10.q8int.com" failed.
Permission to perform this operation was denied.

In the soruce site vmsare-dr log there's:

2012-01-31T18:24:22.536+01:00 [10152 verbose 'SessionManager'] Logging in SRM session = '52150', VC session = '525b9', user = 'Q8INT\itadminvm', full name = 'Q8INT\itadminvm', locale = 'en_US'
2012-01-31T18:24:22.598+01:00 [04092 verbose 'SessionManager'] Local and remote versions are the same. Talking with version vim.version.version7
2012-01-31T18:24:22.661+01:00 [10152 info 'SessionManager'] VC Connection: Logging in extension by subject name
2012-01-31T18:24:22.661+01:00 [10152 info 'SessionManager'] VC Connection: Logged in session 5230c0b5-91f5-0807-554c-a51951beb753
2012-01-31T18:24:22.661+01:00 [10152 info 'SessionManager'] VC Connection: Impersonating user 'Q8INT\itadminvm'
2012-01-31T18:24:22.676+01:00 [10152 info 'SessionManager'] VC Connection: Impersonated user: 'Q8INT\itadminvm'
2012-01-31T18:24:22.676+01:00 [10152 info 'LocalVC'] [PCM] Value used for WaitForUpdatesTimeout: 900
2012-01-31T18:24:22.676+01:00 [10152 verbose 'LocalVC'] [PCM] Initialized without an active connection
2012-01-31T18:24:22.676+01:00 [04092 info 'LocalVC'] [PCM] Received reconnect notification - incrementing connection version to 1
2012-01-31T18:24:22.676+01:00 [04092 verbose 'LocalVC'] [PCM] Recreating filters for all '0' currently registered filter requests.
2012-01-31T18:24:22.676+01:00 [10152 info 'authorize'] [Auth]: User Q8INT\itadminvm
2012-01-31T18:24:22.676+01:00 [04092 verbose 'LocalVC' opID=71f1cc1f] [PCM] Starting new wait-for-updates monitor for connection version '1'
2012-01-31T18:24:22.676+01:00 [10152 info 'SessionManager'] Session '52150' successfully logged in for VC session '525b9' and user 'Q8INT\itadminvm'.
2012-01-31T18:24:22.676+01:00 [04092 verbose 'LocalVC'] [PCM] Reconnect handling complete
2012-01-31T18:24:22.676+01:00 [04092 info 'RoleRegistry'] Initializing by registering for updates to the 'roleList' property on AuthorizationManager 'AuthorizationManager'.
2012-01-31T18:24:22.676+01:00 [04092 verbose 'LocalVC'] [PCM] Using token '0' for pending filter creation
2012-01-31T18:24:22.676+01:00 [04092 verbose 'RoleRegistry'] RoleRegistry is registered for updates with token '1'.
2012-01-31T18:24:22.723+01:00 [04092 verbose 'RoleRegistry'] Updating role map with '24' roles.
2012-01-31T18:24:23.503+01:00 [08224 info 'OptionManager'] 28 setting values retrieved
2012-01-31T18:24:35.656+01:00 [05684 info 'DrRemoteSiteManager'] Probing URL itnapis10.q8int.com:80 with tunnelPath '/sdkTunnel' and thumbprint 'VC'
2012-01-31T18:24:35.672+01:00 [05684 error 'Default'] SSLStreamImpl::DoClientHandshake (0be0a5f8) SSL_connect failed. Dumping SSL error queue:
2012-01-31T18:24:35.672+01:00 [05684 error 'Default'] [0] error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-01-31T18:24:35.703+01:00 [05684 info 'DrRemoteSiteManager'] Probe URL found DNS name 'itnapis10.q8int.com', thumbprint '36:4A:0B:E3:58:6B:E3:0D:57:26:1D:1E:82:1A:16:D0:6A:35:E5:85', and trusted certificate
2012-01-31T18:24:35.734+01:00 [07036 verbose 'DrRemoteSiteManager'] Local and remote versions are the same. Talking with version vim.version.version7
2012-01-31T18:24:35.750+01:00 [05684 info 'DrRemoteSiteManager'] ProbeUrl found remote server type VC
2012-01-31T18:24:35.750+01:00 [05684 info 'DrRemoteSiteManager'] Probing URL itnapis10.q8int.com:80 with tunnelPath '/sdkTunnel' and thumbprint 'VC'
2012-01-31T18:24:35.781+01:00 [05684 error 'Default'] SSLStreamImpl::DoClientHandshake (0be0b800) SSL_connect failed. Dumping SSL error queue:
2012-01-31T18:24:35.781+01:00 [05684 error 'Default'] [0] error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-01-31T18:24:35.812+01:00 [05684 info 'DrRemoteSiteManager'] Probe URL found DNS name 'itnapis10.q8int.com', thumbprint '36:4A:0B:E3:58:6B:E3:0D:57:26:1D:1E:82:1A:16:D0:6A:35:E5:85', and trusted certificate
2012-01-31T18:24:35.843+01:00 [07228 verbose 'DrRemoteSiteManager'] Local and remote versions are the same. Talking with version vim.version.version7
2012-01-31T18:24:35.859+01:00 [05684 info 'DrRemoteSiteManager'] ProbeUrl found remote server type VC
2012-01-31T18:24:35.984+01:00 [10300 verbose 'DrRemoteSiteManager'] Local and remote versions are the same. Talking with version vim.version.version7
2012-01-31T18:24:36.077+01:00 [05684 info 'DrRemoteSiteManager'] VC Connection: Logging in extension by subject name
2012-01-31T18:24:36.093+01:00 [05684 info 'DrRemoteSiteManager'] VC Connection: Logged in session 5214ff66-467e-4cee-1859-f184281faa7f
2012-01-31T18:24:36.109+01:00 [05684 info 'DrRemoteSiteManager'] Probing URL itnapis10.q8int.com:80 with tunnelPath 'itnapis10.q8int.com:8095' and thumbprint 'DR'
2012-01-31T18:24:36.124+01:00 [05684 error 'Default'] SSLStreamImpl::DoClientHandshake (0bf1a3e0) SSL_connect failed. Dumping SSL error queue:
2012-01-31T18:24:36.124+01:00 [05684 error 'Default'] [0] error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-01-31T18:24:36.155+01:00 [05684 info 'DrRemoteSiteManager'] Probe URL found DNS name 'itnapis10.q8int.com', thumbprint 'F7:BF:1F:7C:66:9B:EC:70:7E:AD:9B:DF:19:86:B7:FE:55:C8:2C:76', and trusted certificate
2012-01-31T18:24:36.202+01:00 [05684 info 'DrRemoteSiteManager'] ProbeUrl found remote server type DR
2012-01-31T18:24:36.233+01:00 [05684 info 'DrRemoteSiteManager'] SRM Connection: Logging in.
2012-01-31T18:24:36.436+01:00 [05684 warning 'DrRemoteSiteManager'] Failed while probing SRM server.: (vim.fault.NoPermission) {
[#1] --> dynamicType = <unset>,
[#1] --> faultCause = (vmodl.MethodFault) null,
[#1] --> object = 'dr.ServiceInstance:DrServiceInstance',
[#1] --> privilegeId = "System.View",
[#1] --> msg = "Permission to perform this operation was denied.",
[#1] --> }

On the destination site this is the log:

2012-01-31T18:24:35.587+01:00 [05920 error 'Default'] SSLStreamImpl::DoServerHandshake (0701e5f8) SSL_accept failed. Dumping SSL error queue:
2012-01-31T18:24:35.587+01:00 [05920 error 'Default'] [0] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
2012-01-31T18:24:35.587+01:00 [05920 error 'SoapAdapter.HTTPService'] accept failure class Vmacore::Ssl::SSLException(SSL Exception: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate) on stream (null)
2012-01-31T18:24:35.587+01:00 [05920 error 'SoapAdapter.HTTPService'] stream is NULL - no read scheduled
2012-01-31T18:24:35.712+01:00 [16880 info ''] VC Connection: Session: 5214f, user com.vmware.vcDr, Active? true
2012-01-31T18:24:35.712+01:00 [16880 verbose 'SessionManager'] Logging in SRM session = '52729', VC session = '5214f', user = 'com.vmware.vcDr', full name = 'com.vmware.vcDr', locale = 'en_US'
2012-01-31T18:24:35.790+01:00 [13744 verbose 'SessionManager'] Local and remote versions are the same. Talking with version vim.version.version7
2012-01-31T18:24:35.883+01:00 [16880 info 'SessionManager'] VC Connection: Logging in extension by subject name
2012-01-31T18:24:35.883+01:00 [16880 info 'SessionManager'] VC Connection: Logged in session 52016432-a7ab-07fa-2518-9aac0414f2f7
2012-01-31T18:24:35.883+01:00 [16880 info 'LocalVC'] [PCM] Value used for WaitForUpdatesTimeout: 900
2012-01-31T18:24:35.883+01:00 [16880 verbose 'LocalVC'] [PCM] Initialized without an active connection
2012-01-31T18:24:35.883+01:00 [13744 info 'LocalVC'] [PCM] Received reconnect notification - incrementing connection version to 1
2012-01-31T18:24:35.883+01:00 [13744 verbose 'LocalVC'] [PCM] Recreating filters for all '0' currently registered filter requests.
2012-01-31T18:24:35.883+01:00 [16880 info 'authorize'] [Auth]: User com.vmware.vcDr
2012-01-31T18:24:35.883+01:00 [13744 verbose 'LocalVC' opID=fd6362f] [PCM] Starting new wait-for-updates monitor for connection version '1'
2012-01-31T18:24:35.883+01:00 [13744 verbose 'LocalVC'] [PCM] Reconnect handling complete
2012-01-31T18:24:35.883+01:00 [13744 info 'RoleRegistry'] Initializing by registering for updates to the 'roleList' property on AuthorizationManager 'AuthorizationManager'.
2012-01-31T18:24:35.883+01:00 [13744 verbose 'LocalVC'] [PCM] Using token '0' for pending filter creation
2012-01-31T18:24:35.899+01:00 [13744 verbose 'RoleRegistry'] RoleRegistry is registered for updates with token '1'.
2012-01-31T18:24:35.899+01:00 [16880 verbose 'LocalVC'] Shutting down connection
2012-01-31T18:24:35.899+01:00 [16880 verbose 'LocalVC'] [PCM] Stopping...
2012-01-31T18:24:35.899+01:00 [16880 warning 'VixVcDomain'] VIX connection already logged out
2012-01-31T18:24:35.899+01:00 [13744 info 'RoleRegistry'] Shutting down...
2012-01-31T18:24:35.899+01:00 [13744 error 'LocalVC'] [PM] Cannot unregister callback for filter token '1' because PropertyMonitor is stopped
2012-01-31T18:24:35.899+01:00 [16880 error 'SessionManager'] Exception in login:
[#1] --> (vim.fault.NoPermission) {
[#1] --> dynamicType = <unset>,
[#1] --> faultCause = (vmodl.MethodFault) null,
[#1] --> object = 'dr.ServiceInstance:DrServiceInstance',
[#1] --> privilegeId = "System.View",
[#1] --> msg = "",
[#1] --> }
2012-01-31T18:24:35.946+01:00 [18772 info 'vmomi.soapStub[1]'] Resetting stub adapter for server TCP:itnapis10.q8int.com:80 : Closed
2012-01-31T18:24:35.946+01:00 [18772 warning 'vmomi.soapStub[1]'] Terminating invocation: server=TCP:itnapis10.q8int.com:80, moref=vmodl.query.PropertyCollector:propertyCollector, method=createFilter

Anyone have an idea of what's wrong?

Thanks

Francesco