If you installed SSL certificates issued by a trusted certificate authority (CA) on the vCenter Server that supports Site Recovery Manager, the certificates you create for use by Site Recovery Manager must meet specific criteria.
Public CAs stopped issuing SSL/TLS certificates that contain internal server names or reserved IP addresses in November 2015. CAs will revoke SSL/TLS certificates that contain internal server names or reserved IP addresses on 1st October 2016. To minimize future disruption, if you use SSL/TLS certificates that contain internal server names or reserved IP addresses, obtain new, compliant certificates from a private CA before 1st October 2016.
For information about the deprecation of internal server names and reserved IP addresses, see https://cabforum.org/internal-names/.
For information about how the deprecation of internal server names and reserved IP addresses affects VMware products, see http://kb.vmware.com/kb/2134735.
While Site Recovery Manager uses standard PKCS#12 certificate for authentication, it places a few specific requirements on the contents of certain fields of those certificates. These requirements apply to the certificates used by both members of a Site Recovery Manager Server pair.
The certificates must have a Subject Name value that must be the same for both members of the Site Recovery Manager pair. The Subject Name value can be constructed from the following components.
A Common Name (CN) attribute. A string such as SRM is appropriate here. The CN attribute is obligatory.
An Organization (O) attribute and an Organizational Unit (OU) attribute. The O and OU attributes are obligatory.
Other attributes, for example, the L (locality), S (state), and C (country) attributes, among others, are permitted but are not obligatory. If you specify any of these attributes, the values must be the same for both members of the Site Recovery Manager pair.
The certificate used by each member of a Site Recovery Manager Server pair must include a Subject Alternative Name attribute the value of which is the fully-qualified domain name of the Site Recovery Manager Server host. This value will be different for each member of the Site Recovery Manager Server pair. Because this name is subject to a case-sensitive comparison, use lowercase letters when specifying the name during Site Recovery Manager installation.
If you are using an openssl CA, modify the openssl configuration file to include a line like the following if the Site Recovery Manager Server host's fully-qualified domain name is srm1.example.com:
subjectAltName = DNS: srm1.example.com
If you are using a Microsoft CA, refer to http://support.microsoft.com/kb/931351 for information on how to set the Subject Alternative Name.
If both Site Recovery Manager Server and vCenter Server run on the same host machine, you must provide two certificates, one for Site Recovery Manager and one for vCenter Server. Each certificate must have the Subject Alternative Name attribute set to the fully-qualified domain name of the host machine. Consequently, from a security perspective, it is better to run Site Recovery Manager Server and vCenter Server on different host machines.
The certificate used by each member of a Site Recovery Manager Server pair must include an extendedKeyUsage or enhancedKeyUsage attribute the value of which is
serverAuth, clientAuth. If you are using an openssl CA, modify the openssl configuration file to include a line like the following:extendedKeyUsage = serverAuth, clientAuth
The Site Recovery Manager certificate password must not exceed 31 characters.
The Site Recovery Manager certificate key length must be a minimum of 2048-bits.
Site Recovery Manager accepts certificates with MD5RSA and SHA1RSA signature algorithms, but these are not recommended. Use SHA256RSA or stronger signature algorithms.
