Generate Key Pairs and Certificate Signing Requests for Site Recovery Manager Certificates

Generate key pair and certificate signing requests (CSRs) that you can use to obtain a CA-signed certificate for the Site Recovery Manager instances in the SDDC.

About this task

You perform the following steps:

File Name Site Recovery Manager in Region A Site Recovery Manager in Region B
CSR File Name mgmt01srm01.sfo01_ssl.csr mgmt01srm51.lax01_ssl.csr
Certificate File Name mgmt01srm01.sfo01.cer mgmt01srm51.lax01.cer
Key File Name mgmt01srm01.sfo01_ssl.key mgmt01srm51.lax01_ssl.key
CA Certificate Chain CACert.chain.cer CACert.chain.cer
PKCS#12 File Name from Manual Generation mgmt01srm01.sfo01.p12 mgmt01srm51.lax01.p12
PKCS#12 File Name from the CertGenVVD tool mgmt01srm01.sfo01.5.p12 mgmt01srm51.lax01.5.p12

Procedure

  1. Log in to the Site Recovery Manager virtual machine by using a Remote Desktop Protocol (RDP) client.

    1. Open an RDP connection to the following virtual machine.

      Region

      Site Recovery Manager

      Region A

      mgmt01srm01.sfo01.rainpole.local

      Region B

      mgmt01srm51.lax01.rainpole.local

    2. Log in using the following credentials.

      Setting

      Value

      User name

      Windows administrator user

      Password

      windows_administrator_password

  2. Generate a CSR file.

    You generate the certificate signing request using OpenSSL. On the Site Recovery Manager Windows virtual machine, OpenSSL is available under C:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin.

    1. Create a C:\certs directory on the Site Recovery Manager Server Windows machine.

    2. In the C:\certs directory, create an OpenSSL configuration text file with the following content.

      Site Recovery Manager

      File Name

      Site Recovery Manager in Region A

      mgmt01srm01.sfo01.cfg

      Site Recovery Manager in Region B

      mgmt01srm01.lax01.cfg

      ``` {#GUID-EC8BBC96-0D61-48D6-81C3-A9E9B8391900__ID-3394-000000f0 .pre .codeblock} [ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req

      [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: mgmt01srm01 , IP: 172.16.11.124 , DNS: mgmt01srm01.sfo01.rainpole.local

      [ req_distinguished_name ] countryName = US stateOrProvinceName = CA localityName = Palo Alto 0.organizationName = Rainpole Inc. organizationalUnitName = Rainpole.local commonName = mgmt01srm01.sfo01.rainpole.local ```

    3. Change the properties in the configuration file in the following way. |Property|Region A|Region B| |:-------|:-------|:-------| |subjectAltName|DNS:mgmt01srm01, IP:172.16.11.124, DNS:mgmt01srm01.sfo01.rainpole.local|DNS:mgmt01srm51, IP:172.17.11.124, DNS:mgmt01srm51.lax01.rainpole.local| |countryName|US|US| |StateOrProvinceName|CA|CA| |localityName|Palo Alto|Palo Alto| |0.organizationName|Rainpole Inc.|Rainpole Inc.| |organizationalUnitName|Rainpole.local|Rainpole.local| |commonName|mgmt01srm01.sfo01.rainpole.local|mgmt01srm51.lax01.rainpole.local|

    4. At the command prompt, run the following command to add the path to the bin folder of Site Recovery Manager to the Windows PATH environment variable.

      You configure the PATH environment variable so that Windows can locate and run the openssl.exe file.

      {#GUID-EC8BBC96-0D61-48D6-81C3-A9E9B8391900__codeblock_F141EB3DB7C74CC69460681280540496 .pre .codeblock} set PATH=%PATH%;C:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin

    5. At the command prompt, go to the C:\certs folder and generate the CSR by running the following command.

      Region

      Command

      Region A

      openssl.exe req -new -nodes -out mgmt01srm01.sfo01_ssl.csr -keyout mgmt01srm01.sfo01-orig.key -config mgmt01srm01.sfo01.cfg

      Region B

      openssl.exe req -new -nodes -out mgmt01srm51.lax01_ssl.csr -keyout mgmt01srm51.lax01-orig.key -config mgmt01srm51.lax01.cfg

    6. Convert the private key to RSA format.

      Region

      Command

      Region A

      openssl.exe rsa -in mgmt01srm01.sfo01-orig.key -out mgmt01srm01.sfo01_ssl.key

      Region B

      openssl.exe rsa -in mgmt01srm51.lax01-orig.key -out mgmt01srm51.lax01_ssl.key

    7. Copy the CSR file to the following directories on the Windows host that you use to access the data center.

      Option

      Description

      Region A

      C:\manual-certs\srm\mgmt01srm01.sfo01

      Region B

      C:\manual-certs\srm\mgmt01srm51.lax01

    8. Repeat the steps to generate a key file and a CSR for the other Site Recovery Manager.

What to do next

Obtain a signed certificate from the Microsoft certificate authority. See Generate CA-Signed Certificates for the SDDC Management Components in Region B.

Parent topic: Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region B

results matching ""

    No results matching ""