VMware SRM and SSL certificates

I recently ran into some problems with SRM and SSL certificates. My lab for this project has two vcenters — both using CA signed SSL certificates. During the SRM install I used the automatically generated certificates. When the installations were complete, I was unable to pair the sites. The error message I received was SSL related:

The host certificate chain is not complete. reason.msg

I spent a lot of time trying to figure out the ‘trick’ on how to create certificates that SRM would actually use. I finally found a blog post here: http://thephuck.com/virtualization/creating-certificates-for-vmware-srm-or-vcenter-using-openssl-made-easy-with-video/ that pointed me in the right direction. I followed the instructions but SRM still wouldn’t use the certificate.

Looking at the certificate created, I noticed a couple of things were missing. Specifically, the following two settings that actually make the SRM certificate different:

extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: fqdn.of.srm.server

Even though my CSR contained both of these settings, the CA did not include them in the certificate. I decided to make a copy of the ‘Web Server’ certificate template I normally use and add a ‘Client Authentication’ purpose. However, when I got to my CA, I noticed an SCCM Web Server template that already had the options I needed.

I followed the instructions, but made two different changes when submitting the CSR to my CA:

Certificate Template: SCCM Web Server (which has a Server & Client purpose)
Attributes: san:dns=host.name.of.vcenter (which adds the subject alternative names)

Finally, after what felt like weeks of SSL hell, I was able to pair my sites. Many thanks to Luke @ThepHuck for these valuable instructions.

This entry was posted in Virtualization. Bookmark the permalink.

6 Responses to VMware SRM and SSL certificates

  1. Luke says:

    I’m glad I could help! @ShannonSnowden from http://virtualizationinformation.com & I worked back and forth trying to figure out a good way to get the certs working. He posted about it here: http://virtualizationinformation.com/installing-certificates-for-vcenter-and-srm-to-work/

  2. Pratiks says:

    I am experiencing the same issue with default certs after SRM ip has been changed.

    Mon, 4:20 PM] Login of SRM server ” into SRM server ” failed. SRM server ” cannot validate SSL certificate from server at ”. The remote host certificate has these problems:

    * The host certificate chain is not complete. reason.msg

  3. Pratiks says:

    Any help would be appreciated

  4. Luke says:

    Is this error seen between the Protected vCenter & Protected SRM server? Or is it seen when trying to authenticate the Protected site to the Recovery site?

    If it’s the latter, try reconnecting the site pairing. It should present the certificate, allowing you to accept it.

  5. Pratiks says:

    We are unable to register SRM to vCenter
    Issue occurred after an IP change in the environment\
    Same issue is seen on both sites

    We have done a modify install of SRM and generated new default certs in the process.

  6. Pratiks says:

    the issue still persists

Leave a Reply

Your email address will not be published. Required fields are marked *