If you use custom SSL/TLS certificates for the VMware Live Site Recovery server endpoint certificate, the certificates must meet specific criteria.
VMware Live Site Recovery 9.x uses standard PKCS#12 certificates. VMware Live Site Recovery places some requirements on the contents of those certificates.
- VMware Live Site Recovery does not accept certificates with MD5 signature algorithms. Use SHA256 or stronger signature algorithms.
- By default, VMware Live Site Recovery does not accept certificates with SHA-1 signature algorithms. Use SHA256 or stronger signature algorithms.
- The VMware Live Site Recovery certificate is not the root of a trust chain. You can use an intermediate CA certificate which is not the root of a trust chain, but that is still a CA certificate.
- If you use a custom certificate for vCenter Server you are not obliged to use a custom certificate for VMware Live Site Recovery. The reverse is also true.
- The private key in the PKCS #12 file must match the certificate. The minimum length of the private key is 2048 bits.
- The VMware Live Site Recovery certificate password must not exceed 31 characters.
- The current time must be within the period of validity of the certificate.
- The certificate must be a server certificate, for which the x509v3 Extended Key Usage must indicate TLS Web Server Authentication.
- The certificate must include an
extendedKeyUsage
orenhancedKeyUsage
attribute, the value of which isserverAuth
. - There is no requirement for the certificate to also be a client certificate. The
clientAuth
value is not required.
- The certificate must include an
- The Subject Name must not be empty and must contain fewer than 4096 characters. In this release, the Subject Name does not have be the same for both members of a VMware Live Site Recovery Server pair.
- The certificate must identify the VMware Live Site Recovery Server host.
- The recommended way to identify the VMware Live Site Recovery Server host is with the host's fully-qualified domain name (FQDN). If the certificate identifies the VMware Live Site Recovery Server host with an IP address, this must be an IPv4 address. Using IPv6 addresses to identify the host is not supported.
- Certificates generally identify the host in the Subject Alternative Name (SAN) attribute. Some CAs issue certificates that identify the host in the Common Name (CN) value of the Subject Name attribute. VMware Live Site Recovery accepts certificates that identify the host in the CN value, but this is not the best practice. For information about the SAN and CN best practices, see the Internet Engineering Task Force (IETF) RFC 6125 at https://tools.ietf.org/html/rfc6125.
- The host identifier in the certificate must match the VMware Live Site Recovery Server local host address that you specify when you install VMware Live Site Recovery.