Information and announcements from Program Managers, Product Managers, Developers and Testers in the Microsoft Virtualization team.
An often asked question from early HVR deployments has been about the product’s certificate requirements. This post captures the pre-requisites for enabling replication using certificate based authentication.
HVR uses machine level mutual authentication, which requires you to install the certificates in the Personal certificate store of the local computer.
To view or to import the certificates
i. Launch mmc from the command prompt.
ii. Click File->Add/Remove Snap-in... and choose Certificates from the available list of snap-ins.
iii. Choose 'Computer Account' in the Certificate snap-in pop up
iv. Open the Certificates store under the Personal store.
To setup a replication relationship, the certificate in the primary server must meet the following conditions:
Replica Server Certificate Requirements
To enable a server to receive replication traffic, the certificate in the replica server must meet the following conditions
After the certificate is installed, run the following command from the command prompt on both the primary and replica server:
certutil –store my
At least one of the certificates in your output should resemble the following sample output such that the Encryption test (not just Signature) has passed.
==============================Certificate 1 =====================================================
For a sample HVR deployment scenario using makecert certificate, see Appendix C of the UTG which is available here.
In the next few weeks , we will be posting an end to end workflow for enabling replication using certificates.
- Hyper-V Replication Team
I can use third-party certificates?
To Denis - Yes, you can use 3rd party certificates till they meet the above pre-requisites.
Thanks for the replay, dear Hyper-V Replica -)
Thank you very much it was useful for me!!
Any idea on when the end-to-end workflow for setting up certificates for HVR will be available? Even an unofficial copy maybe?
Warren - I will cover this in the next few weeks. The info in the UTG www.microsoft.com/.../details.aspx is an excellent start. Let me know if you have any specific questions.
This scenario applies for domain based environments. Just in case i want to try this in a workgroup environment , how to setup certificate based authentication ? I saw in some forums that Kerberos will fail in workgroup environments.
To add to the above query , Does Replica can be done in a workgroup ? or is it only supported on domain based environment.
Yes, Kerberos based mutual authentication will fail in a workgroup joined machine. For workgroup joined servers, you should use certificate based authentication as described in this blog and blogs.technet.com/.../certificate-based-authentication-and-powershell.aspx
how to create this certificate with above req
There are a few blogs which talk about this:
- Using makecert: blogs.technet.com/.../hyper-v-replica-certificate-based-authentication-makecert.aspx
- Using enterprise CAs, 3rd party CAs: blogs.technet.com/.../requesting-hyper-v-replica-certificates-from-an-enterprise-ca.aspx
- Using standalone CAs: blogs.technet.com/.../requesting-certificates-for-hyper-v-replica-from-cas.aspx
I have workgroup environment through WAN. I get still one error and Replication doesnt work . Error: The specified certificate is self signed. Can you advice me how to make primary server to accept self signed certificate from replica server??? I am fighting with it one week. Everything is communicating till the last step of config repl. After submit finish and a few seconds I am getting this error. I use dns suffix as server.domain.com... should I use ... server.domain.local??
THANK you very much for any advice to find a solution.
Sorry I forgot to write. My servers are hyper-v core 2012
To Mike: The qn to whether server.domain.local (or) server.domain.com should be used depends on the FQDN of the server (which impacts the way the network listener required for Hyper-V Replica comes up).
If you are using self-signed certificates generate from makecert, you can use the steps outlined in the following blog: http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx
Once you try the above steps and if you continue to face an error, please copy-paste the specific error message which you see on the primary or on the replica server.