How to Replace Site Recovery Manager SSL Certificates

In this blog post, we will go through the steps needed to create the certificate request and how to replace the signed certificate on the SRM Manager servers. Note that you will need OpenSSL to create the certificate request.

Replacing certificates is part of the work when managing an IT environment. Most products don’t generally require installing certificates signed by a trusted CA (Certificate Authority), but rather offer a quicker route by leveraging self-signed certificates, Site Recovery Manager (SRM) included. However, installing custom certificates is usually regarded as the best practice to increase security in the infrastructure.

VMware‘s disaster recovery solution SRM works with a management server in each of the protected and recovery sites that pair and connect to the vCenter servers. The SRM server certificate establishes the identity and secures the communication between SRM servers and clients.

Creation of the Certificate

1. Browse to your OpenSSL directory and create a config file like the following and change the fields specific to your environment (in red in the example cfg file below). In this example, I save it as “srm1.cfg“.

Note that you can put the server’s IP in the certificate but it is not required if you work with DNS names (which everyone should do).

In the “SubjectAltName” put the names the server is referred to (usually FQDN and short name).

If you look in openssl.cfg you will find more fields to populate in the last part (Country, city, email…).

2. Open an elevated command prompt and browse to the OpenSSL directory once again and generate the certificate request using the config file.

3. Convert the generated private key to RSA format.

4. Provide your certificate authority with the certificate request (.csr file) to sign the certificate.

(Note: consult this guide if you are signing it with a Microsoft CA and encounter an error regarding a missing template.

5. Once you have received the certificate from your CA, convert it to PKCS12 with the RSA private key, which is required by the SRM installer.

We will need OpenSSL one last time to do this operation. The signed certificate is named “srm1.cer” and the PKCS12 “srm1.p12” in this example.

Replacement of the certificate in Site Recovery Manager

1. Open the “Uninstall or change a program” wizard On the SRM Manager server, select “VMware vCenter Site Recovery Manager” and click “Change“.

If you encounter an error due to UAC being enabled, follow this procedure.

• Go to Start > Run, type regedit and click OK. The Registry Editor window opens.

• Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > policies > system.

• Modify DWORD EnableLUA from 1 to 0.

• Restart the Windows machine and run the modify installation.

2. Select the “Modify” option.

  3. Type in the credentials of the service account connecting to vCenter. The Username is pre-populated.

4. Not much to do here except click “Next“.

5. In this pane, the “Local Host” is pre-populated with the IP address of the server. This field should be one of the SANs of the certificate (Subject Alternative Names).

This means that if the IP is not present in the SANs of your certificate, change these fields to the FQDN of the SRM server.

6. Select “Use a PKCS#12 certificate file” in the next pane.

7. Browse to the .p12 file and type the password you chose when converting it in OpenSSL. It was “Password123″ in my example.

8. Type the password of the user that connects to the database.

9. Leave the next pane alone unless you want to change the account under which the SRM service runs.

10. Finish the wizard and click “Install“.

11. It should complete successfully. If it doesn’t you will need to review the installation logs.

12. Once the wizard is closed, you can verify that the replacement has been done correctly in a web browser on the port 9086 of the SRM server with HTTPS.

Open the certificate presented and ensure it is the new one.

SRM site pairing connection

Now if you look at the SRM plugin after replacing the certificate on the protected site (xav-win-vc in the example below), you will see that the recovery site (xav-win-vc2 below) is disconnected.

1. Then replace the certificate of the recovery site (xav-win-vc2) by following the same procedure as before. You will notice that it is now the protected site that is disconnected (xav-win-vc).

2. To fix it, open the Site Recovery Manager plug-in in vCenter, go to “Sites” and click on “Reconfigure Pairing“.

3. The remote site of the one selected is pre-populated. Click “Next” here.

4. Type the password of the account used for the pairing.

You will notice a task “Repair Connection” which should succeed.

5. Ensure that both protected and recovery sites are now in the green “Connected” state.

The SRM Manager certificates are now successfully replaced.

Wrap up

Although not being the most attractive part of the job as a SysAdmin, certificate management is critical to ensure compliance with security policies of the company. It is also very important that customers have a way to closely monitor the expiry date of all the certificates installed in their environments. Whether it is handled manually by a crypto team or by a monitoring tool like Zabbix or Nagios, there should be alarms configured to warn the infrastructure team in advance (2 months is a safe margin). To monitor the SSL certificates of Site Recovery Manager, you can run SSL checks on port 9086 of each server as seen earlier in this blog.