To set up a trusted environment with your custom root CA certificates, you must manually import the certificates into the Site Recovery Manager Appliance.

The certificates must be in a .pem format.

Procedure

  1. Log in to the Site Recovery Manager Virtual Appliance host machine as admin.
  2. Run the following command.
    su
  3. Enter the root password.
  4. Copy the certificates to /etc/ssl/certs.
  5. To modify the certificates' permissions, run the following command.
    chmod a+r <new-root-ca>.pem
  6. Run /usr/bin/rehash_ca_certificates.sh.
  7. To import the Site Recovery Manager Server certificates, use the Site Recovery Manager Appliance Management Interface.
    1. Log in to the Site Recovery Manager Appliance Management Interface as admin.
    2. Click the Access tab, and then, in the Certificate pane, click Change.
    3. Select a certificate type.
      Menu item Description
      Generate a self-signed certificate. Use an automatically generated certificate.
      1. Enter text values for your organization and organization unit, typically your company name, and the name of your group in the company.
      2. Accept the default FQDN and IP values.
      Note: Using a self-signed certificate is not recommended for production environments.
      Use a PKCS #12 certificate file. Use a custom certificate.
      1. Click Browse, navigate to the certificate file, and click Open. The certificate file must contain exactly one certificate with exactly one private key matching the certificate.
      2. (Optional) Enter the optional private key encryption password.
      Use a CA-signed certificate generated from CSR. Use a CA-signed certificate generated from a CSR.
      1. In the Certificate file row, click Browse, navigate to the certificate file, and click Open.
      2. (Optional) In the CA chain row, click Browse, navigate to the CA chain, and click Open.
    4. Click Change.
  8. To import the Site Recovery HTML 5 client trust certificate in the JRE keystore, run the following command.
    keytool -importcert -v -noprompt -file root.pem -alias root-ca -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit