In this post, I’m going to cover off how I created the CA signed certificates for both my SRM servers. To clarify, the CA servers were already setup and I had followed this KB article to ensure that I had the correct certificate templates and followed the process correctly.
This can all be done before you install SRM onto each site server, but I did not. I did it after and implemented them at a later date. I do not think it really matters in what order you do it (it depends on how organised you are!) but it should be done before you decide to link the SRM servers, which I’ll cover in my next post!
Create Microsoft CA Signed Certificates for Site Recovery Manager
1) On the SRM server create a folder “c:\certs”
2) From within the folder, create a text file and enter in the following information:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: primarysite-srm.domain.com, DNS: primarysite-srm.domain.com IP: 10.10.10.70
[ req_distinguished_name ]
0.organizationName = COMPANY NAME
organizationalUnitName = IT Infrastructure
commonName = SRM
3) Save the text file as “C:\certs\SRM.cfg” (Ensure its not .cfg.txt)
4) Open CMD as Administrator and navigate to the following, assuming you installed to D:\
“D:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin”
5) Run the following command:
Openssl.exe req –new –nodes –out C:\certs\rui.csr –keyout C:\certs\rui-orig.key –config C:\certs\SRM.cfg
6) Then run the command:
Openssl.exe rsa –in c:\certs\rui-orig.key –out c:\certs\rui.key
7) At this stage in the c:\certs folder you will have 2 .key files and a .csr request.
8) Copy out the .CSR file to your VDI desktop. Open command prompt and type the following:
Certreq –submit –attrib “CertificateTemplate:Cft-VMware-SSL” C:\users\YOURUSER\desktop\rui.csr
10) Click ok. Wait a few seconds and a prompt will appear asking to save the certificate.
11) Save the certificate as “rui.crt” back to your Desktop.
12) Copy the new .crt file back to the server c:\certs folder on the SRM Server.
13) On the elevated prompt, type the following:
Openssl.exe pkcs12 –export –in c:\certs\rui.crt –inkey c:\certs\rui.key –name “cft-srm-sm-02.sec.smt” –passout pass:srmserver –out c:\certs\rui.p12
17) Once booted up, log back in as the service account. Navigate to add/remove programs in control panel. Highlight VMware Site Recovery Manager and select “Change”
19) Enter in the administrator password when prompted. Click next.
22) Enter in the password to the key file which was entered in the above request. In this example “srmserver” was used. Click next.
25) Select “Install” and allow the update to take place of the SSL certificate.
26) Repeat the above steps for the secondary SRM site server. Make sure to generate a new request, as in step 2, with the correct server information in.
Once again, this process was fairly easy but not without a few minor bumps along the way. You might have a little difficulty if you aren’t used to working with Microsoft CA certificates. Luckily my cert template on the CA was already pre-configured as per the VMware recommendations. As I said above, it is possible to follow this process at the very start before installing the Site Recovery Manager software on each site server. In that instance, you would be able to select the certificate you’ve already generated during the original installation!
My next post will be quite short and quickly run through linking both sites SRM Servers.