If you enforce a verification of certificate validity by enabling vSphere Replication to accept only SSL certificates signed by a trusted Certificate Authority, some fields of the certificate request must meet certain requirements.

vSphere Replication can only import and use certificates and private keys from a file in the PKCS#12 format. Sometimes these files have a .pfx extension.

  • The certificate must be issued for the same server name as the value in the Local Host setting in the VRMS Appliance Management Interface. Setting the certificate subject name accordingly is sufficient, if you put a host name in the Local Host setting or if any of the Subject Alternative Name certificate fields of the certificate matches the Local Host setting.
  • vSphere Replication checks the issue and expiration dates of the certificate against the current date, to ensure that the certificate is not expired.
  • If you use your own certificate authority, for example one that you create and manage with the OpenSSL tools, you must add the fully qualified domain name or IP address to the OpenSSL configuration file.
    • If the fully qualified domain name of the appliance is VR1.example.com, add subjectAltName = DNS: VR1.example.com to the OpenSSL configuration file.
    • If you use the IP address of the appliance, add subjectAltName = IP: vr-appliance-ip-address to the OpenSSL configuration file.
  • vSphere Replication requires a trust chain to a well-known root certificate authority. vSphere Replication trusts all the certificate authorities that the Java Virtual Machine trusts. Also, you can manually import additional trusted CA certificates in /opt/vmware/hms/security/hms-truststore.jks on the vSphere Replication appliance.
  • vSphere Replication accepts MD5 and SHA1 and SHA256 signatures. It is a best practice to use SHA156 signatures.
  • vSphere Replication does not accept RSA or DSA certificates with 512-bit keys. vSphere Replication requires at least 1024-bit keys. It is a best practice to use 2048-bit public keys.