Hyper-V Replica - Prerequisites for certificate based deployments

Hyper-V Replica - Prerequisites for certificate based deployments

  • Comments 14
  • Likes

An often asked question from early HVR deployments has been about the product’s certificate requirements. This post captures the pre-requisites for enabling replication using certificate based authentication.

HVR uses machine level mutual authentication, which requires you to install the certificates in the Personal certificate store of the local computer.

View/Import Certificates

To view or to import the certificates

   i.  Launch mmc from the command prompt.

   ii. Click File->Add/Remove Snap-in... and choose Certificates from the available list of snap-ins.

   iii. Choose 'Computer Account' in the Certificate snap-in pop up

 

 

     iv.   Open the Certificates store under the Personal store.

Primary Server Certificate Requirements

To setup a replication relationship, the certificate in the primary server must meet the following conditions:

  • Enhanced Key Usage must support both Client and Server authentication

 

  • Set the Subject field or the Subject Alternative Name using one of the following methods:
    • Set the Subject field to the primary server name (e.g.: primary1.contoso.com).  If the primary server is part of a cluster, ensure that the subject field is set to the FQDN of the HVR Broker (install this certificate on all the nodes of the cluster).

(or)

    • Subject field can contain a wildcard (e.g.: *.department.contoso.com).

 (or)

    • For a SAN certificate, set the Subject Alternative Name’s DNS Name to the primary server name (e.g.: primary1.contoso.com). If the primary server is part of a cluster, the Subject Alternative Name of the certificate should contain the FQDN of the HVR Broker (install this certificate on all the nodes of the cluster).

 

  • Ensure that the valid X.509v3 certificate is not revoked.
  • Check if the root of this certificate is present in the “Trusted Root Certification Authorities” of the replica server certificate store.

 

Replica Server Certificate Requirements

To enable a server to receive replication traffic, the certificate in the replica server must meet the following conditions

  • Enhanced Key Usage must support both Client and Server authentication
  • Set the Subject field or the Subject Alternative Name using one of the following methods:
    • For a SAN certificate, set the Subject Alternative Name’s DNS Name to the replica server name (e.g.: replica1.contoso.com). If the replica server is part of cluster, the Subject Alternative Name of the certificate must contain the replica server name *and* FQDN of the HVR Broker (install this certificate on all the nodes of the cluster.)

(or)

    • Set the Subject field to the replica server name (e.g.: replica1.contoso.com). If the replica server is part of cluster, ensure that a certificate with the subject field set to the FQDN of the HVR Broker is installed on all the nodes of the cluster.

(or)

    • Subject field can contain a wildcard (e.g.: *.department.contoso.com)

 

  • Ensure that the valid X.509v3 certificate is not revoked.
  • Check if the root of this certificate is present in the “Trusted Root Certification Authorities” of the replica server certificate store.

Validate using certutil

After the certificate is installed, run the following command from the command prompt on both the primary and replica server:

certutil –store my

At least one of the certificates in your output should resemble the following sample output such that the Encryption test (not just Signature) has passed.

==============================Certificate 1 =====================================================

 

Serial Number: 6c028cf0d47c0db8490dbd18191eaeb1
Issuer: CN=corp-DC1-CA, DC=corp, DC=contoso, DC=com
NotBefore: 2/7/2012 9:39 PM
NotAfter: 12/31/2039 3:59 PM
Subject: CN=CLIENT1.corp.contoso.com
Non-root Certificate
Cert Hash(sha1): ba 20 b0 1a c1 dd d8 5c c9 4a 73 0f 61 e2 f0 ca a5 8d ed 6d
Key Container = 6199522e-cbe4-4a69-b27d-edcbdf06911e
Unique container name: b2c457fabbb5acb7fbac1c3585f8c079_2176a3a0-cd09-417b-87d7-826e858f5461
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
================================================================================================

 

For a sample HVR deployment scenario using makecert certificate, see Appendix C of the UTG which is available here.

In the next few weeks , we will be posting an end to end workflow for enabling replication using certificates.

- Hyper-V Replication Team

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • <p>I can use third-party certificates?</p>

  • <p>To Denis - Yes, you can use 3rd party certificates till they meet the above pre-requisites.</p>

  • <p>Thanks for the replay, dear Hyper-V Replica -)</p>

  • <p>Thank you very much it was useful for me!!</p>

  • <p>Any idea on when the end-to-end workflow for setting up certificates for HVR will be available? Even an unofficial copy maybe?</p>

  • <p>Warren - I will cover this in the next few weeks. The info in the UTG <a rel="nofollow" target="_new" href="http://www.microsoft.com/download/en/details.aspx?id=29016">www.microsoft.com/.../details.aspx</a> is an excellent start. Let me know if you have any specific questions.</p>

  • <p>This scenario applies for domain based environments. Just in case i want to try this in a workgroup environment , how to setup certificate based authentication ? I saw in some forums that Kerberos will fail in workgroup environments. </p>

  • <p>To add to the above query , Does Replica can be done in a workgroup ? or is it only supported on domain based environment.</p>

  • <p>Hi Vineeth,</p> <p>Yes, Kerberos based mutual authentication will fail in a workgroup joined machine. For workgroup joined servers, you should use certificate based authentication as described in this blog and blogs.technet.com/.../certificate-based-authentication-and-powershell.aspx</p> <p>Praveen</p>

  • <p>how to create this certificate with above req</p>

  • <p>There are a few blogs which talk about this:</p> <p>- Using makecert: <a rel="nofollow" target="_new" href="http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx">blogs.technet.com/.../hyper-v-replica-certificate-based-authentication-makecert.aspx</a></p> <p>- Using enterprise CAs, 3rd party CAs: <a rel="nofollow" target="_new" href="http://blogs.technet.com/b/virtualization/archive/2012/07/10/requesting-hyper-v-replica-certificates-from-an-enterprise-ca.aspx">blogs.technet.com/.../requesting-hyper-v-replica-certificates-from-an-enterprise-ca.aspx</a></p> <p>- Using standalone CAs: <a rel="nofollow" target="_new" href="http://blogs.technet.com/b/virtualization/archive/2012/07/02/requesting-certificates-for-hyper-v-replica-from-cas.aspx">blogs.technet.com/.../requesting-certificates-for-hyper-v-replica-from-cas.aspx</a></p>

  • I have workgroup environment through WAN. I get still one error and Replication doesnt work . Error: The specified certificate is self signed. Can you advice me how to make primary server to accept self signed certificate from replica server??? I am fighting with it one week. Everything is communicating till the last step of config repl. After submit finish and a few seconds I am getting this error. I use dns suffix as server.domain.com... should I use ... server.domain.local?? THANK you very much for any advice to find a solution.

  • Sorry I forgot to write. My servers are hyper-v core 2012

  • To Mike: The qn to whether server.domain.local (or) server.domain.com should be used depends on the FQDN of the server (which impacts the way the network listener required for Hyper-V Replica comes up). If you are using self-signed certificates generate from makecert, you can use the steps outlined in the following blog: http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx Once you try the above steps and if you continue to face an error, please copy-paste the specific error message which you see on the primary or on the replica server. Praveen