If you enforce verification of certificate validity by selecting Accept only SSL certificates signed by a trusted Certificate Authority in the virtual appliance management interface (VAMI) of the vSphere Replication appliance, some fields of the certificate request must meet certain requirements.

vSphere Replication can only import and use certificates and private keys from a file in the PKCS#12 format. Sometimes these files have a .pfx extension.

The certificate must be issued for the same server name as the value in the VRM Host setting in the VAMI. Setting the certificate subject name accordingly is sufficient, if you put a host name in the VRM Host setting. If any of the certificate Subject Alternative Name fields of the certificate matches the VRM Host setting, this will work as well.

vSphere Replication checks the issue and expiration dates of the certificate against the current date, to ensure that the certificate has not expired.

If you use your own certificate authority, for example one that you create and manage with the OpenSSL tools, you must add the fully qualified domain name or IP address to the OpenSSL configuration file.

If the fully qualified domain name of the appliance is VR1.example.com, add subjectAltName = DNS: VR1.example.com to the OpenSSL configuration file.

If you use the IP address of the appliance, add subjectAltName = IP: vr-appliance-ip-address to the OpenSSL configuration file.

vSphere Replication requires a trust chain to a well-known root certificate authority. vSphere Replication trusts all the certificate authorities that the Java Virtual Machine trusts. Also, you can manually import additional trusted CA certificates in /opt/vmware/hms/security/hms-truststore.jks on the vSphere Replication appliance.

You cannot install a certificate that uses the MD5 signature algorithm. vSphere Replication will not communicate with remote servers that present a certificate with an MD5 signature.

vSphere Replication does not accept RSA or DSA certificates with 512-bit keys. Use 2048-bit public keys.