I recently ran into some problems with SRM and SSL certificates. My lab for this project has two vcenters — both using CA signed SSL certificates. During the SRM install I used the automatically generated certificates. When the installations were complete, I was unable to pair the sites. The error message I received was SSL related:
I spent a lot of time trying to figure out the ‘trick’ on how to create certificates that SRM would actually use. I finally found a blog post here: http://thephuck.com/virtualization/creating-certificates-for-vmware-srm-or-vcenter-using-openssl-made-easy-with-video/ that pointed me in the right direction. I followed the instructions but SRM still wouldn’t use the certificate.
Looking at the certificate created, I noticed a couple of things were missing. Specifically, the following two settings that actually make the SRM certificate different:
extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: fqdn.of.srm.server
Even though my CSR contained both of these settings, the CA did not include them in the certificate. I decided to make a copy of the ‘Web Server’ certificate template I normally use and add a ‘Client Authentication’ purpose. However, when I got to my CA, I noticed an SCCM Web Server template that already had the options I needed.
I followed the instructions, but made two different changes when submitting the CSR to my CA:
Certificate Template: SCCM Web Server (which has a Server & Client purpose)
Attributes: san:dns=host.name.of.vcenter (which adds the subject alternative names)
Finally, after what felt like weeks of SSL hell, I was able to pair my sites. Many thanks to Luke @ThepHuck for these valuable instructions.