If you use custom SSL/TLS certificates for the Site Recovery Manager server endpoint certificate, the certificates must meet specific criteria.
Site Recovery Manager 8.x uses standard PKCS#12 certificates. Site Recovery Manager places some requirements on the contents of those certificates.
- Site Recovery Manager does not accept certificates with MD5 signature algorithms. Use SHA256 or stronger signature algorithms.
- By default, Site Recovery Manager does not accept certificates with SHA-1 signature algorithms. Use SHA256 or stronger signature algorithms.
- The Site Recovery Manager certificate is not the root of a trust chain. You can use an intermediate CA certificate which is not the root of a trust chain, but that is still a CA certificate.
- If you use a custom certificate for vCenter Server you are not obliged to use a custom certificate for Site Recovery Manager. The reverse is also true.
- The private key in the PKCS #12 file must match the certificate. The minimum length of the private key is 2048 bits.
- The Site Recovery Manager certificate password must not exceed 31 characters.
- The current time must be within the period of validity of the certificate.
- The certificate must be a server certificate, for which the x509v3 Extended Key Usage must indicate TLS Web Server Authentication.
- The certificate must include an
extendedKeyUsage
orenhancedKeyUsage
attribute, the value of which isserverAuth
. - There is no requirement for the certificate to also be a client certificate. The
clientAuth
value is not required.
- The certificate must include an
- The Subject Name must not be empty and must contain fewer than 4096 characters. In this release, the Subject Name does not have be the same for both members of a Site Recovery Manager Server pair.
- The certificate must identify the Site Recovery Manager Server host.
- The recommended way to identify the Site Recovery Manager Server host is with the host's fully-qualified domain name (FQDN). If the certificate identifies the Site Recovery Manager Server host with an IP address, this must be an IPv4 address. Using IPv6 addresses to identify the host is not supported.
- Certificates generally identify the host in the Subject Alternative Name (SAN) attribute. Some CAs issue certificates that identify the host in the Common Name (CN) value of the Subject Name attribute. Site Recovery Manager accepts certificates that identify the host in the CN value, but this is not the best practice. For information about the SAN and CN best practices, see the Internet Engineering Task Force (IETF) RFC 6125 at https://tools.ietf.org/html/rfc6125.
- The host identifier in the certificate must match the Site Recovery Manager Server local host address that you specify when you install Site Recovery Manager.