SRM with VMAX 20K – Part IV: Creating CA signed certificates

In this post, I’m going to cover off how I created the CA signed certificates for both my SRM servers. To clarify, the CA servers were already setup and I had followed this KB article to ensure that I had the correct certificate templates and followed the process correctly.

This can all be done before you install SRM onto each site server, but I did not. I did it after and implemented them at a later date. I do not think it really matters in what order you do it (it depends on how organised you are!) but it should be done before you decide to link the SRM servers, which I’ll cover in my next post!

Create Microsoft CA Signed Certificates for Site Recovery Manager

1) On the SRM server create a folder “c:\certs”

2) From within the folder, create a text file and enter in the following information:

3) Save the text file as “C:\certs\SRM.cfg” (Ensure its not .cfg.txt)

4) Open CMD as Administrator and navigate to the following, assuming you installed to D:\
“D:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin”

5) Run the following command:

SRMCERT1

6) Then run the command:

SRMCERT2

7) At this stage in the c:\certs folder you will have 2 .key files and a .csr request.

8) Copy out the .CSR file to your VDI desktop. Open command prompt and type the following:
Certreq –submit –attrib “CertificateTemplate:Cft-VMware-SSL” C:\users\YOURUSER\desktop\rui.csr

9) When prompted, select the correct site CA that you wish to use.
SRMCERT3

10) Click ok. Wait a few seconds and a prompt will appear asking to save the certificate.

11) Save the certificate as “rui.crt” back to your Desktop.

12) Copy the new .crt file back to the server c:\certs folder on the SRM Server.

13) On the elevated prompt, type the following:

14) There will now be a .p12 certificate in your store along with the other files
SRMCERT4

15) Open up control panel and “UAC”. Select the slider bar down to the bottom to disable it.
SRMCERT5

16) Click ok and then reboot the server. If this is not done, when you try and modify SRM certificate, you may see the following error:
SRMCERT6

17) Once booted up, log back in as the service account. Navigate to add/remove programs in control panel. Highlight VMware Site Recovery Manager and select “Change”

18) On the SRM screen, click Next. Select Modify and click next.
SRMCERT7

19) Enter in the administrator password when prompted. Click next.

20) On the certificate screen, select the middle option for “Use a PKCS#12 certificate”. Click next.
SRMCERT8

21) Browse to the .p12 certificate file. Select Open.
SRMCERT9

22) Enter in the password to the key file which was entered in the above request. In this example “srmserver” was used. Click next.

23) At the database configuration. Enter in the DB configuration same as on the installation.
SRMCERT10

24) Click next. Accept to use the existing DB. Click Next.
SRMCERT11

25) Select “Install” and allow the update to take place of the SSL certificate.

26) Repeat the above steps for the secondary SRM site server. Make sure to generate a new request, as in step 2, with the correct server information in.

Once again, this process was fairly easy but not without a few minor bumps along the way. You might have a little difficulty if you aren’t used to working with Microsoft CA certificates. Luckily my cert template on the CA was already pre-configured as per the VMware recommendations. As I said above, it is possible to follow this process at the very start before installing the Site Recovery Manager software on each site server. In that instance, you would be able to select the certificate you’ve already generated during the original installation!

My next post will be quite short and quickly run through linking both sites SRM Servers.

Leave a Reply

Your email address will not be published. Required fields are marked *