To set up a trusted environment with your custom root CA certificates, you must manually import the certificates into the Site Recovery Manager Appliance.
The certificates must be in a .pem format.
Procedure
- Log in to the Site Recovery Manager Virtual Appliance host machine as admin.
- Run the following command.
su
- Enter the root password.
- Copy the certificates to /etc/ssl/certs.
- To modify the certificates' permissions, run the following command.
chmod a+r <new-root-ca>.pem
- Run
/usr/bin/rehash_ca_certificates.sh
. - To import the Site Recovery Manager Server certificates, use the Site Recovery Manager Appliance Management Interface.
- Log in to the Site Recovery Manager Appliance Management Interface as admin.
- Click the Access tab, and then, in the Certificate pane, click Change.
- Select a certificate type.
Menu item Description Generate a self-signed certificate. Use an automatically generated certificate. - Enter text values for your organization and organization unit, typically your company name, and the name of your group in the company.
- Accept the default FQDN and IP values.
Note: Using a self-signed certificate is not recommended for production environments.Use a PKCS #12 certificate file. Use a custom certificate. - Click Browse, navigate to the certificate file, and click Open. The certificate file must contain exactly one certificate with exactly one private key matching the certificate.
- (Optional) Enter the optional private key encryption password.
Use a CA-signed certificate generated from CSR. Use a CA-signed certificate generated from a CSR. - In the Certificate file row, click Browse, navigate to the certificate file, and click Open.
- (Optional) In the CA chain row, click Browse, navigate to the CA chain, and click Open.
- Click Change.
- To import the Site Recovery HTML 5 client trust certificate in the JRE keystore, run the following command.
keytool -importcert -v -noprompt -file root.pem -alias root-ca -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit