VMware Cloud Community
brkirby
Contributor
Contributor
‎09-03-2010 07:50 AM

Replace SRM certificates with Windows 2008 CA Certs

I've recently Installed Site Recovery Manager 4.1. I have set up vCenter with Trusted Certificates from my Windows CA. I'm trying to do the same for Site Recovery Manager, but I haven't found a step-by-step process. I've looked through the VMware SRM requirements document (http://KB&cmd=displayKC&externalId=1008390), but it is a little to vague for me.

I was hoping that someone had some step-by-step instructions, or could point me to instructions, for how to set up a Certificate for Site Recovery Manager that is signed by a windows 2008 CA, or .

Any help would be greatly appreciated.

Thanks,

Brian

Reply
0 Kudos
5 Replies
mal_michael
Commander
Commander
‎09-05-2010 10:33 AM

The following document may be helpful

The document talks about SRM 1, but it is correct for SRM 4 too. The only change in SRM 4 is that Subject Alternative Name should be FQDN of the SRM server.

HTH.

Let me know if you need further assistance.

Michael.

Reply
brkirby
Contributor
Contributor
‎09-07-2010 01:29 PM

Thank you Michael. I have reviewed this document before and although it was helpful, I was not able to get things to work.

What I really need are instructions on how to do one of the following to get my SRM certificates:

  • create a CSR with openssl and process the request with my Windows 2008 CA. or

  • create a CSR on my Windows 2008 CA and then process the request on my Windows 2008 CA

I've tried both to no avail. for the certs that I was able to issue on my 2008 CA, I get the following error message when attempting to connect the protected site with the recovery site: "Local and remote servers are using different certificate trust methods", which is listed in that doc under troubleshooting. I may have to try again to get more specifics. I was hoping that someone out there had already done this and could share their steps.

Thanks,

Brian

Reply
0 Kudos
twistedf8
Contributor
Contributor
‎10-22-2010 07:10 AM

After spending hours trying to get SRM to accept the Certs I was creating using my Microsoft CA; I have come up with the following steps:

When creating Certificates for vCenter you need to make sure you create them exactly the same. So the Subject in the Cert should read like the following:

CN = vcenter.domain.com

OU = Department Name

O = Company Name

L = City

S = State (Full State name)

C = Country (Two letter Abrevation)

Now when creating your SRM certificate you have to use both Server Authentication and Client Authentication, You can create special Certificate Template for that on your certificate Authority server. The following link describes how to complete this step:

Microsoft Certificate Template

Now when creating the Certificates for SRM you need to have the following subject in the cert:

CN = SRM

OU = Department Name (same as vcenter certificate)

O = Company Name (same as vcenter certificate)

L = City (same as vcenter certificate)

S = State (same as vcenter certificate)

C = Country (same as vcenter certificate)

Now comes the part that I struggled with with the most, SRM requires you to have a subject alternative name for your certificate that is the FQDN for the server you are creating the certificate for; But if you have multiple Subject Alternative names for your Virtual Center cert using FQDN and host name then you need to do the same for SRM: For an example:

san:dns=srm01.domain.com&dns=srm01

If you miss this step SRM will not validate your certificate.

Here is a couple of articles that I found help when working through this issue:

replacing virtual center certificate

How to add subject alternative name

Reply
brkirby
Contributor
Contributor
‎10-25-2010 06:26 AM

Thaks for the assistance. I ended up just reinstalling vcenter with the default certs, then installing SRM with the default certs with VMware, Inc. as the O and the OU. I think we may have an issue with our Windows 2008 CA.

Reply
0 Kudos
brkirby
Contributor
Contributor
‎12-07-2011 05:37 AM

After trying to deploy a new Certificate template recently, I realized why this process didn't work.  My windows 2008 Certificate Authority is running on windows 2008 Standard.  In order to deploy a new certificate template, you need a Certificate Authority running Enterprise edition.  I found this caveat while trying to create a Cert for an SCCM server using this article:  http://technet.microsoft.com/en-us/library/cc872789.aspx

Here's a quote from the article:
"Although you can configure certificate templates with Windows Server Standard Edition and Active Directory Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008."

At least now I know why it didn't work.

Reply
0 Kudos