In a dual-region SDDC, you replace an expired certificate on Site Recovery Manager to keep this component trusted. You generate a custom certificate by using the CertGenVVD utility. Pair again the Site Recovery Manager instances in the two regions to re-establish the connection using the new certificate.

About this task

If you replace the certificates of all management components in Region A, you must replace the certificates of all Platform Services Controller, vCenter Server and NSX Manager instances before Site Recovery Manager.

Site Recovery Manager

Certificate Files


  • sfo01m01srm01.5.p12

  • chainRoot64.cer


  1. Log in to the Site Recovery Manager virtual machine by using a Remote Desktop Protocol (RDP) client.
    1. Open an RDP connection to the sfo01m01srm01.sfo01.rainpole.local virtual machine.
    2. Log in using the following credentials.



      User name




  2. Install the CA certificates in the Windows trusted root certificate store of the Site Recovery Manager virtual machine.
    1. Copy the CA certificate and PKSCS#12 files to the C:\certs folder
    2. Double-click the chainRoot64.cer file in the C:\certs folder to open Certificate import dialog box.
    3. In the Certificate dialog box, select the Install Certificate option.

      The Certificate Import Wizard appears.

    4. Select the Local Machine option for Store Location and click Next.
    5. Select Place all certificates in the following store option, browse to select Trusted Root Certificate Authorities store, and click OK.
    6. On the Completing the Certificate Import Wizard page, click Finish.
  3. Replace the certificate on Site Recovery Manager with the one that you generated.
    1. Open Programs and Features from the Windows Control Panel.
    2. From the list of programs, select VMware vCenter Site Recovery Manager and click Change.
    3. Select the Modify option on the Maintenance Options screen and follow the wizard until you reach the Certificate Type screen.
    4. Select the Use a PKCS#12 certificate file option and click Next.
    5. Browse to the C:\certs folder, select the sfo01m01srm01.5.p12 or lax01m01srm01.5.p12 file, and enter the certificate password that you specified when generating the PKCS#12 file.
    6. Click Yes in the certificate warning dialog box and complete the modify installation wizard.
  4. Reconnect the two Site Recovery Manager sites after replacing the certificate.
    1. Open a Web Browser and go to the following URL.



      Region A


    2. Log in using the following credentials.



      User name




    3. In the vSphere Web Client, click Site Recovery > Sites.
    4. Right-click the site sfo01m01vc01.sfo01.rainpole.local and select Reconfigure Pairing.
    5. Enter the address of the Platform Services Controller lax01psc01.lax01.rainpole.local on the remote site and click Next.
    6. Select the vCenter Server instance lax01m01vc01.lax01.rainpole.local with which Site Recovery Manager is registered on the remote site, enter the user name svc-srm@rainpole.local and svc-srm_password password, and click Finish.