Hi,
Does anyone know how/where to change the SRM & vSphere Replication 8.2 Appliance VAMI https certificates?
I have updated the main appliance certificates, with ones signed by my Enterprise CA, but I cannot find there they are updated for the VAMI interface?
I would appreciate any pointers.
Thanks
M
Hi,
you can check the last step (Step 😎 in the doc - How to Set Up a Trusted Environment for the Site Recovery Manager Virtual Appliance
Probably this will resolve your issue.
Hope this help,
Daniel G.
Hi,
SRM appliance VAMI uses the main appliance certificate. You may need to reload your browser after changing the certificate.
Hope this helps,
Daniel G.
Thank you Daniel,
I am not sure what happened initially, as I did refresh my browser(s). It seems to be working now that I have restarted both the SRM & vSphere Replication appliances.
Follow up question... How do I import my Microsoft Windows Server Enterprise root & intermediate CA certificates into the SRM/vSphere Replication appliances Trusted Root Certificate Authority stores?
Many Thanks,
Martin
Hi Martin,
you can follow the steps in the documentation page "How to Set Up a Trusted Environment for the Site Recovery Manager Virtual Appliance".
Hope this helps,
Daniel G.
Thank you again Daniel,
I am still have a niggly issue with SRM when pairing sites, where the one site cannot validate the vCenter server certificate on the other site.
Steps I have taken:
1) I have reconfigured both of my vCenter server's VMCA's to be subordinate to my Enterprise CA, Both completed successfully and I can browse to either vCenter server without getting browser security errors.
2) I have added my Root CA and both vCenter VMCA CA certificates to the both SRM appliances & re-run c_rehash (without error). They now have trusted connection thumbprints - the same thumbprints as the SRM site pairing does NOT trust!
3) I have created CSR's, signed them (with my root CA) and installed PKCS #12 certificates for both SRM appliances. I restarted both appliances and I can browse to them without getting a browser security error.
Do my vCenter Servers need each others VMCA CA certificate importing? Just tried this and it still errors.
I do not have any SSO/ELM between vCenter servers?
I need a sanity check, can you see/think what have I missed?
vCenter Server Appliance Version - 6.7.0 Build 13007421
VMware SRM Appliance Version - 8.2.0 Build 14383138
vSphere Replication Appliance Version - 8.2.0.8989 Build 14338525
Cheers
Martin
Hi,
you can check the last step (Step 😎 in the doc - How to Set Up a Trusted Environment for the Site Recovery Manager Virtual Appliance
Probably this will resolve your issue.
Hope this help,
Daniel G.
Thank you again Daniel,
That has worked. I can now deploy both SRM and vSphere Replication appliances with certificates that are signed by my Enterprise CA.
I can also import the Root CA and both VMCA subordinate CA certificates into each appliance, so there are no more trust warning messages when pairing sites/etc.
I really appreciate your help.
M
Hi M,
Where did you generate the CSR request for the replication appliance?
I have followed the procedure from Daniel and have successfully created and installed the certs on both SRM appliances, however I don't see any option to generate a CSR on the replication appliance.
The VMdoc "Change the SSL Certificate of the vSphere Replication Appliance" at https://docs.vmware.com/en/vSphere-Replication/8.2/com.vmware.vsphere.replication-admin.doc/GUID-C96...
just says to upload the certificate. Wher do I get the certificate from, I assume I have to generate it somewhere?
Thanks in advance
D
I created it manually with OpenSSL... I am working onsite today, but I will dig out the instructions later tonight and post here... M
Hi DJMCVMW.
Sorry for delay, I was unexpectedly asked to leave my hotel last night as they closed due to the UK Covid19 response and had a 5 hour drive home. 😞
I have uploaded a short document to https://communities.vmware.com/docs/DOC-41405 with the steps I use in OpenSSL to create the CSR, sign the CSR and then to create a pkcs12 (.p12) file for import into either a SRM or VRM appliance.
Let me know if you have any questions. I hope it helps.
Martin
Hi M,
Hope all is going Ok for there.
Thanks for getting back to me, I appreciate you taking the time however I'm unable to view your doc, it tell's me the content is restricted.
D
Hi DJMCVMW
Apologies, it should be working now.
All good here - it's nearly the weekend! 🙂
Martin