Information and announcements from Program Managers, Product Managers, Developers and Testers in the Microsoft Virtualization team.
An often asked question from early HVR deployments has been about the product’s certificate requirements. This post captures the pre-requisites for enabling replication using certificate based authentication.
HVR uses machine level mutual authentication, which requires you to install the certificates in the Personal certificate store of the local computer.
To view or to import the certificates
i. Launch mmc from the command prompt.
ii. Click File->Add/Remove Snap-in... and choose Certificates from the available list of snap-ins.
iii. Choose 'Computer Account' in the Certificate snap-in pop up
iv. Open the Certificates store under the Personal store.
To setup a replication relationship, the certificate in the primary server must meet the following conditions:
Replica Server Certificate Requirements
To enable a server to receive replication traffic, the certificate in the replica server must meet the following conditions
After the certificate is installed, run the following command from the command prompt on both the primary and replica server:
certutil –store my
At least one of the certificates in your output should resemble the following sample output such that the Encryption test (not just Signature) has passed.
==============================Certificate 1 =====================================================
For a sample HVR deployment scenario using makecert certificate, see Appendix C of the UTG which is available here.
In the next few weeks , we will be posting an end to end workflow for enabling replication using certificates.
- Hyper-V Replication Team
I can use third-party certificates?
To Denis - Yes, you can use 3rd party certificates till they meet the above pre-requisites.
Thanks for the replay, dear Hyper-V Replica -)
Thank you very much it was useful for me!!
Any idea on when the end-to-end workflow for setting up certificates for HVR will be available? Even an unofficial copy maybe?
Warren - I will cover this in the next few weeks. The info in the UTG www.microsoft.com/.../details.aspx is an excellent start. Let me know if you have any specific questions.
This scenario applies for domain based environments. Just in case i want to try this in a workgroup environment , how to setup certificate based authentication ? I saw in some forums that Kerberos will fail in workgroup environments.
To add to the above query , Does Replica can be done in a workgroup ? or is it only supported on domain based environment.
Yes, Kerberos based mutual authentication will fail in a workgroup joined machine. For workgroup joined servers, you should use certificate based authentication as described in this blog and blogs.technet.com/.../certificate-based-authentication-and-powershell.aspx
how to create this certificate with above req
There are a few blogs which talk about this:
- Using makecert: blogs.technet.com/.../hyper-v-replica-certificate-based-authentication-makecert.aspx
- Using enterprise CAs, 3rd party CAs: blogs.technet.com/.../requesting-hyper-v-replica-certificates-from-an-enterprise-ca.aspx
- Using standalone CAs: blogs.technet.com/.../requesting-certificates-for-hyper-v-replica-from-cas.aspx