All communications between Site Recovery Manager and vCenter Server instances take place over SSL connections and are authenticated by public key certificates or stored credentials.
When you install Site Recovery Manager Server, you must choose either credential-based authentication or custom certificate-based authentication. By default, Site Recovery Manager uses credential-based authentication, but custom certificate-based authentication can alternatively be selected. The authentication method you choose when installing the Site Recovery Manager Server is used to authenticate connections between the Site Recovery Manager Server instances at the protected and recovery sites, and between Site Recovery Manager and vCenter Server.
You cannot mix authentication methods between Site Recovery Manager Server instances at different sites and between Site Recovery Manager and vCenter Server.
This is the default authentication method that Site Recovery Manager uses. If you are using credential-based authentication, Site Recovery Manager stores a user name and password that you specify during installation, and then uses those credentials when connecting to vCenter Server. Site Recovery Manager also creates a special-purpose certificate for its own use. This certificate includes additional information that you supply during installation.
Even though Site Recovery Manager creates and uses this special-purpose certificate when you choose credential-based authentication, credential-based authentication is not equivalent to certificate-based authentication in either security or operational simplicity.
Custom Certificate-Based Authentication
If you have or can acquire a PKCS#12 certificate signed by a trusted certificate authority (CA), use custom certificate-based authentication. Public key certificates signed by a trusted CA streamline many Site Recovery Manager operations and provide the highest level of security. Custom certificates that Site Recovery Manager uses have special requirements. See Requirements When Using Trusted SSL Certificates with Site Recovery Manager.
If you use custom certificate-based authentication, you must use certificates signed by a CA that both the vCenter Server and Site Recovery Manager Server instances trust, on both the protected site and the recovery site. You can use a certificate that is signed by a different CA on each site if both CAs are installed as trusted Root CAs on both sites.
If a certificate has expired and you attempt to start or restart Site Recovery Manager Server, the Site Recovery Manager service starts and then stops. If a certificate expires while Site Recovery Manager is running, Site Recovery Manager cannot establish a session with vCenter Server and appears in the disconnected state.
If you are using credential-based authentication, inital attempts by the Site Recovery Manager Server to connect to vCenter Server produce a certificate warning because the trust relationship asserted by the special-purpose certificates created by Site Recovery Manager and vCenter Server cannot be verified by SSL. A warning allows you to verify the thumbprint of the certificate used by the other server and confirm its identity. To avoid these warnings, use certificate-based authentication and obtain your certificate from a trusted certificate authority.