After you generate a CA-signed PKCS#12 file manually or by using the CertGenVVD tool, replace the default VMware-signed certificate with this certificate on vSphere Replication in both regions.

About this task

You create certificates twice, once for each vSphere Replication. You can start replacing certificates on vSphere Replication in Region A mgmt01vrms01.sfo01.rainpole.local first.

Table 1. PKCS#12 Files for vSphere Replication in Region A and Region B

vSphere Replication Appliance Name

PKCS#12 File Name from Manual Generation

PKCS#12 File Name from the CertGenVVD Tool

mgmt01vrms01.sfo01.rainpole.local

mgmt01vrms01.sfo01.p12

mgmt01vrms01.sfo01.5.p12

mgmt01vrms51.lax01.rainpole.local

mgmt01vrms01.lax01.p12

mgmt01vrms51.lax01.5.p12

Prerequisites

If you use the CertGenVVD tool to generate CA-signed certificates for the products in this validated design, generate the PEM file for vRealize Operations Manager and download it to your computer. See VMware Knowledge Base article 2146215.

Procedure

  1. Upload the PKCS#12 file to vSphere Replication by using the vSphere Replication Appliance interface (VAMI).
    1. Open a Web browser and go to the following URL.

      vSphere Replication

      URL

      vSphere Replication in Region A

      https://mgmt01vrms01.sfo01.rainpole.local:5480

      vSphere Replication in Region B

      https://mgmt01vrms51.lax01.rainpole.local:5480

    2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      vr_root_password

    3. On the VR tab, click the Configuration tab.
    4. Enter the vCenter Single Sign-On administrator password vsphere_admin_password.
    5. Click Choose File next to Upload PKCS#12 (*.pfx) file and locate the PKCS#12 file that you created. 

    6. Click the Upload and Install button and enter the certificate password when prompted. 

    After you change the SSL certificate, the vSphere Replication status changes to disconnected because the new certificate is not validated by the vSphere Replication instance in the other site.

  2. Reconnect the sites to resolve the connection issue.

    When you change the SSL certificate, the vSphere Replication status changes to disconnected state because new certificate is not validated by the vSphere Replication instance in other site.

    1. Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

    3. On the vSphere Web Client Home page, click vSphere Replication.
    4. Select mgmt01vc01.sfo01.rainpole.local, click Manage, and select Target Sites.
    5. Right-click mgmt01vc51.lax01.rainpole.local and click Reconnect site.
    6. In the Reconnect Sites dialog box, click Yes to proceed.

  3. Repeat the steps to generate and install the CA-signed certificate on the other vSphere Replication instance.