If you enforce verification of certificate validity by selecting Accept only SSL certificates signed by a trusted Certificate Authority in the virtual appliance management interface (VAMI) of the vSphere Replication appliance, some fields of the certificate request must meet certain requirements.
vSphere Replication can only import and use certificates and private keys from a file in the PKCS#12 format. Sometimes these files have a .pfx extension.
The certificate must be issued for the same server name as the value in the VRM Host setting in the VAMI. Setting the certificate subject name accordingly is sufficient, if you put a host name in the VRM Host setting. If any of the certificate Subject Alternative Name fields of the certificate matches the VRM Host setting, this will work as well.
vSphere Replication checks the issue and expiration dates of the certificate against the current date, to ensure that the certificate has not expired.
If you use your own certificate authority, for example one that you create and manage with the OpenSSL tools, you must add the fully qualified domain name or IP address to the OpenSSL configuration file.
If the fully qualified domain name of the appliance is
subjectAltName = DNS: VR1.example.comto the OpenSSL configuration file.
If you use the IP address of the appliance, add
subjectAltName = IP: vr-appliance-ip-addressto the OpenSSL configuration file.
vSphere Replication requires a trust chain to a well-known root certificate authority. vSphere Replication trusts all the certificate authorities that the Java Virtual Machine trusts. Also, you can manually import additional trusted CA certificates in /opt/vmware/hms/security/hms-truststore.jks on the vSphere Replication appliance.
vSphere Replication accepts MD5 and SHA1 signatures, but VMware recommends that you use SHA256 signatures.
vSphere Replication does not accept RSA or DSA certificates with 512-bit keys. vSphere Replication requires at least 1024-bit keys. VMware recommends using 2048-bit public keys. vSphere Replication shows a warning if you use a 1024-bit key.