Requesting Hyper-V Replica certificates from a CA

Requesting Hyper-V Replica certificates from a CA

  • Comments 10
  • Likes

The certificate requirements for Hyper-V Replica were discussed earlier – this post provides details on how to request a certificate from a Certification Authority (CA), which can then be used for Hyper-V Replica for certificate based authentication.

Step #1: Create an INF file

Copy-paste the text below to a .inf file which specifies the settings for the certificate request. Modify the Subject attribute to the server name (FQDN if applicable).

[Version] 
Signature="$Windows NT$"
[NewRequest] 
Subject = "CN=SERVER.CONTOSO.COM"   
Exportable = TRUE                   ; Private key is exportable 
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384 
KeySpec = 1                         ; AT_KEYEXCHANGE 
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment 
MachineKeySet = True                ; The key belongs to the local computer account 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12 
RequestType = CMC
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ;Server Authentication
OID=1.3.6.1.5.5.7.3.2 ;Client Authentication

Save the above file as HVR.inf.

Step #2: Create a request

Issue the following command from an elevated command prompt, to create a certificate request from an .inf file.

certreq –new HVR.inf HVR.req

A request file with the name HVR.req is created in the same directory.

Step #3: Submit the request

There are three possible outcomes here:

  • Submit the certificate request to an internal CA
    • Submit the certificate request using the following command
certreq –submit –config “corpca1.fabrikam.com\Corporate Policy CA1” HVR.req HVR.cer
    • The –config switch can be used (with certreq) to direct the request to a specific CA.  In the above command, this is “corpca1.fabrikam.com\Corporate Policy CA1”.
    • Ensure that RPC traffic is allowed between the computer requesting the certificate and the CA.
    • It is assumed that the root CA certificate is already installed in the Trusted Root Certification Authorities store of the local computer
  • (OR) Submit the certificate request to an external CA
    • Many external CAs take a Certificate Signing Request (CSR) block which contains information about your organization name, domain name etc. To get the CSR block from the req file, issue the following command:
certutil -encode HVR.req HVR.csr
    • Open the csr file in notepad and send the contents to your external CA through the preferred medium (mail/web page upload) as dictated by your CA. A sample csr file (which I have manually edited) would look as follows:
-----BEGIN CERTIFICATE-----
LS0tLS1CRUdJTiBORVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tDQpNSUlETXpD
Q0Fwd0NBUUF3TURFdU1Dd0dBMVVFQXd3bGNISjJhV3BoZVhKak1pNW1ZWEpsWVhO
VElGSUNBVEUgTURFdU1Dd0dBMVVFQXd3bGNISjJhV3BoZVhKak1pNW1ZWEpsWVhO
URFdU1Dd0dBMVVFQXdRVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tDQpNSUlETW
MVVFQXdRVcgQ0VSVElGSUNBVEUQ0VSVElGSUNBVEUgURFdU1Dd0dBMVVFQXd3bGN
RSBSRVFVRVNULS0tLS0NCg==
-----END CERTIFICATE-----

Step #4: Finishing up…

Once the certificate is issued, issue the following command to install the certificate

certreq -accept HVR.cer

This command imports the certificate into the appropriate store.

Notes:

  • In a clustered configuration, ensure that the certificate with the Hyper-V Replica Broker’s CAP name is installed on all the nodes of the cluster.
  • Wildcard certificate: If you wish to deploy wildcard certificates, modify the subject attribute in the INF file to indicate the wildcard (eg: *.department.contoso.com) and follow the same steps as mentioned earlier
  • SAN certificate: If you wish to deploy Subject Alternate Name certificates, use the following INF file and follow the same steps as mentioned earlier.
[Version] 
       Signature="$Windows NT$"
 
       [NewRequest] 
       Subject = "CN=dc.contoso.com"   
       Exportable = TRUE                   ; Private key is exportable 
       KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384 
       KeySpec = 1                         ; AT_KEYEXCHANGE 
       KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment 
       MachineKeySet = True                ; The key belongs to the local computer account 
       ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
       ProviderType = 12
       RequestType = CMC
 
       [RequestAttributes]
       SAN="dns=server1.dept.contoso.com&dns=server2.dept.contoso.com&dns=hvrbroker.dept.contoso.com"    ;Include the Hyper-V Replica Broker CAP name 
 
       [EnhancedKeyUsageExtension] 
       OID=1.3.6.1.5.5.7.3.1 ;Server Authentication
       OID=1.3.6.1.5.5.7.3.2 ;Client Authentication
  • After the certificate is installed, run the following command from the command prompt on both the primary and replica server:
certutil –store my 

At least one of the certificates in your output should resemble the following sample output such that the Encryption test (not just Signature) has passed.

 
==============================Certificate 1 =====================================================
Serial Number: 6c028cf0d47c0db8490dbd18191eaeb1
Issuer: CN=corp-DC1-CA, DC=corp, DC=contoso, DC=com
NotBefore: 2/7/2012 9:39 PM
NotAfter: 12/31/2039 3:59 PM
Subject: CN=CLIENT1.corp.contoso.com
Non-root Certificate
Cert Hash(sha1): ba 20 b0 1a c1 dd d8 5c c9 4a 73 0f 61 e2 f0 ca a5 8d ed 6d
Key Container = 6199522e-cbe4-4a69-b27d-edcbdf06911e
Unique container name: b2c457fabbb5acb7fbac1c3585f8c079_2176a3a0-cd09-417b-87d7-826e858f5461
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
================================================================================================
 
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Praveen, thanks for all your posts about the hyper-v replica functionality. Impressive stuff..

    I run in to an issue when i request the certificate from the internal CA.

    --------

    Certificate not issued (Denied) Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.  The request contains no certificate template information. 0x80094801 (-2146875391)

    --------

    Did you use a standalone CA (that doesn't use certificate templates) or should i create a certificate template in my w2012 enterprise root CA.

    Thanks,

    Marc van Eijk

  • Hi Marc,

    This post uses a standalone CA, I will cover a post involving an enterprise CA shortly. But in short, you would need to create a template in your enterprise CA (or) use an existing template which allows for these extensions (Server, Client Authentication).

    Praveen

  • Hello Praveen,

    When i try to run this command certreq –new HVR.inf HVR.req i get error. ( The parameter is incorrect. 0x80070057 (WIN32:87) CMC enharcedkeyusageextension

    I dont know how to solve this and i hope that u can help.

    thanks,

    Nedim

  • Hi Praveen,

    I am getting the same error as Nedim when trying to run the "certreq -new HVR.inf HVR.req" command on the free Hyper-V Server 2012:

    C:\>certreq -new HVR.inf HVR.req

    [NewRequest] RequestType = "CMC[EnhancedKeyUsageExtension]" != "PKCS10"

    [NewRequest] RequestType = "CMC[EnhancedKeyUsageExtension]" != "PKCS7"

    [NewRequest] RequestType = "CMC[EnhancedKeyUsageExtension]" != "CMC"

    [NewRequest] RequestType = "CMC[EnhancedKeyUsageExtension]" != "Cert"

    Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87)

    HVR.inf([NewRequest] RequestType = "CMC[EnhancedKeyUsageExtension]")

    If I change the RequestType to CMC only, I get another error:

    C:\>certreq -new HVR.inf HVR.req

    Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

    HVR.inf([NewRequest] OID = "1.3.6.1.5.5.7.3.1")

    Thank you,

    John

  • It would be nice if MS responded to the previously asked comments and corrected this, but since they don't seem to be inclined as of 24-DEC-2012, I'll offer this as a fix for the problem Nedim and John had:

    Change:

    RequestType = CMC[EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ;Server Authentication

    OID=1.3.6.1.5.5.7.3.2 ;Client Authentication

    So that it looks like this:

    RequestType = CMC

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ;Server Authentication

    OID=1.3.6.1.5.5.7.3.2 ;Client Authentication

    A simple line break.  Annoying.

  • Sorry guys, I missed the question. Lee, thanks for correcting the line break. I have made the change in the article and reposted it.

  • I've tried to use the computer template from the enterprise CA, managed to get the certificate on the HyperV.  but when I tried to Select the certifcate, it cannot find it.  although I imported it as computer certificate

  • To ED - that's strange. The Hyper-V Manager UI queries & filters for all certificates which are listed under the "Personal" store of the LocalMachine. Can you double-check if the subject name in the certificate is same as your server name?

    Praveen

  • I could not get a SAN to appear unless I had the following in my INF

    [Extensions]

    2.5.29.17 = "{text}"

    _continue_ = "dns=www01.fabrikam.com&"

    OR did the NOT RECOMMENDED step of enabling SANs:

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

    If I enabled the ATTRIBUTESUBJECTALTNAME2 flag, then the SAN specified in the INF was propogated through.

  • I have created a wildcard request using the process without any problem.- However my CA - GoDaddy in this case - errors as 'invalid csr'.
    On the other hand if I use normal IIS process to create a request and submit and obtain a wildcard cert from GoDaddy - it succeeds. The cert with its private key is visible under Personal store of the Local machine. However HyperV does not sees it - as it is a wildcard cert. It complains that it could not find any cert with the "MACHINENAME".
    Has anyone succeeded in actually using a 3rd party Wildcard cert to perform HyperV replication in production!