Hyper-V Replica Certificate Based Authentication - makecert

Hyper-V Replica Certificate Based Authentication - makecert

  • Comments 29
  • Likes

We have had a number of queries on how to enable replication using certificates created from makecert. Though the Understanding and Troubleshooting guide for Hyper-V Replica discusses this aspect, I am posting a separate article on this. The below steps are applicable for a simple lab deployment consisting of two standalone servers – PrimaryServer.domain.com and ReplicaServer.domain.com. This can be easily extended to clustered deployments with the Hyper-V Replica Broker.

Makecert is a certificate creation tool which generates certificates for testing purpose. Information on makecert is available here - http://msdn.microsoft.com/en-us/library/bfsktky3.aspx.

1. Copy the makecert.exe tool to your primary server

2. Run the following command from an elevated command prompt, on the primary server. This command creates a self-signed root authority certificate. The command also installs a test certificate in the root store of the local machine and is saved as a file locally

makecert -pe -n "CN=MyTestRootCA" -ss root -sr LocalMachine -sky signature -r "MyTestRootCA.cer" 

3. Run the following command couple of times, from an elevated command prompt to create new certificate(s) signed by the test root authority certificate

makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "MyTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <MachineName>.cer 

Each time:

  • Replace <FQDN> with FQDN of primary, replica server(s) and Hyper-V Replica broker (if required, in a clustered deployment).
  • Replace <MachineName>.cer with any name

The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication

4. The certificates can be viewed by mmc->File->Add/Remove Snap in…->Certificates->Add->”Computer Account”->Next->Finish->Ok

You will find the Personal certificate (with the machine names) and the Root certificate (MyTestRootCA) in the highlighted folders:

clip_image002

5. Export the replica server certificate with the private key.

image

image image

6. Copy MyTestRootCA.cer and the above exported certificate (RecoveryServer.pfx) to the Replica server.

7. Run the following command from an elevated prompt in ReplicaServer.domain.com

certutil -addstore -f Root "MyTestRootCA.cer" 

8. Open the certificate mmc in ReplicaServer.domain.com and import the certificate (RecoveryServer.pfx) in the Personal store of the server. Provide the pfx file and password as input:

image

9. In a clustered deployment, two certificates are required on each server:

  • Certificate with the subject name set to the server’s FQDN
  • Certificate with the subject name set to the Hyper-V Replica Broker’s FQDN. This is required as the Hyper-V Replica Broker is Highly Available and can migrate from one server to another.

10. By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. To work around it, modify the following registry key on Primary, Replica Servers

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • When I enter this command, manual, with the changed settings, I get an error that there are too many parameters:

    makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "MyTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <MachineName>.cer

    The ONLY thing that works is if I delete everything after -sy 12. But even then, the second eku isn't embedded into the ticket.

    Thoughts?

  • Nevermind -- Figured it out. Turns out that you can't use power shell for this.

  • Hi,

       I truly like to reading your post. Thank you so much for taking the time to share such a nice information. I'll definitely add this great post in my article section.

    <a href="www.certificate-attestation.in/certificate-authentication.html">Certificate Authentication

    </a>

  • Hi,

    Thanks for this great post, keep it up! However, I'm stuck at step 7.. My servers are returning the following error:

    root "Trusted Root Certifivation Authorities"

    DecodeFile returned

    The System cannot find the file specified.

    0x80070002 <win32: 2>

    CertUtil: -addstore command FAILED 0x8007002 <WIN32: 2>

    CertUtil: The system cannot find the file specified.

    I hope you have a solution for this!

  • Majestik - can you please ensure that certutil is being run from the same folder in which the cer file is present. According to the error, it looks like the cer file is not found

    Praveen

  • Hi, I am going from a standalone server to a cluster - via a broker - and source and target servers are in different domains / forests. I believe I have generated the certificates correctly and have all firewall rules and routing configured correctly but I keep getting this error:

    'Hyper-V Replica Broker REPBKR01' failed to start the network listener on destination node 'HVSERVER01': The certificate's CN name does not match the passed value. (0x800B010F). Please look at the event log on destination node for more details.

    Any suggestions?

  • So I can now replicate from the cluster to the stand alone server but still not the other way (needed to add host file entry for standalone server on all cluster nodes). This proves my certificates are fine but something is wrong at the cluster / broker side. I also tried replicating using port 4000 and get the same error:

    'Hyper-V Replica Broker REPBKR01' failed to start the network listener on destination node 'HVSERVER01': The certificate's CN name does not match the passed value. (0x800B010F). Please look at the event log on destination node for more details.

    Appreciate any suggestions.

  • Oh and the error on the client side - standalone server - is:

    Hyper-V failed to establish a connection with the Replica server 'REPBKR01.domain.local' on port '4000'. Error: The connection with the server was terminated abnormally (0x00002EFE).

  • Hi Lee,

    1) For the first question "'Hyper-V Replica Broker REPBKR01' failed to start the network listener on destination node 'HVSERVER01': The certificate's CN name does not match the passed value. (0x800B010F). "

    You will need a certificate generated for each server of your cluster and for the broker. Install the broker certificate in all the nodes of the cluster. As the error suggests, the certificate's subject name (Repbkr01) and the name provided for the broker do not match. When you created the broker, what is the name which was provided (Repbkr01 or Repbkr01.local or Repbkr01.local.domain?) - ensure that this name and the name provided as part of running Step 3 in this blog post match.

    2) For the second question "Hyper-V failed to establish a connection with the Replica server 'REPBKR01.domain.local' on port '4000'. Error: The connection with the server was terminated abnormally (0x00002EFE)."

    This is either an address resolution problem or a network connectivity problem. We would need to get past the network listener issue in question (1) above before resolving this.

    Praveen

  • I used these instructions provided to me by a Microsoft technician to setup certificated based authentication between two 2012 servers running the Hyper-V role. Both 2012 servers were only part of a workgroup. I spent days on this issue before i opened the case. I could never get the commands to run on my own I continued to get "file not found" errors. I hope this is helpful and saves times for all!

    As discussed I am sharing the steps we performed to configure the Hyper-V replication over SSL.

    • Run the below mentioned command from an elevated command prompt  on Vmhost1 to create a self-signed Primary root authority certificate:

    makecert -pe -n "CN=PrimaryRootCA" -ss root -sr LocalMachine -sky signature -r "PrimaryRootCA.cer"

    • Run the below mentioned command from an elevated command prompt  on Vmhost1 to create a new certificate signed by the primary root authority certificate:

    makecert -pe -n "CN=VMHost1" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "primaryRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 primaryCert.cer

    • Run the below mentioned command from an elevated command prompt  on Vmhost2 to create a self-signed Replica root authority certificate:

    makecert -pe -n "CN=ReplicaRootCA" -ss root -sr LocalMachine -sky signature -r "ReplicaRootCA.cer"

    • Run the below mentioned command from an elevated command prompt  on Vmhost1 to create a new certificate signed by the primary root authority certificate:

    makecert -pe -n "CN=VMHost2" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "primaryRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 replicaCert.cer

    • Create the below mentioned keys on both the hyper-v hosts:

                   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication

                   REG_DWORD = DisableCertRevocationCheck with value 1

                   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication

                   REG_DWORD = DisableCertRevocationCheck  with value 1

    • Copy “PrimaryRootCA.cer” created in step1 to the VMhost2 & copy “ReplicaRootCA.cer” created in step 3 to VMHost1

    • Run the below mentioned command on Vmhost1

    Certutil -addstore -f root "replicarootca.cer"

    • Run the below mentioned command on Vmhost2

    certutil -addstore -f root "primaryrootca.cer"

    • After that configure the Hyper-V replication selecting the appropriate certificate.

  • Thx AlexS_Tech

    i followed your comment and everything works fine from the first Time.

    great Post.

    Koen

  • Hi Praveen,

    1. I'm getting a very strange behaviour. I follow your steps but on step 5, I can't export the certificates WITH their private key, that option appears greyed out (disabled). However, if I double-click the certificate to see it's details, it says "You have a private key that corresponds to this certificate." What could be wrong, and how can I solve this issue?

    2. Just to get my concepts right: when enabling replication of a VM from PrimaryServer to ReplicaServer, which certificate should we be using? The one from PrimaryServer.cer or the one from ReplicaServer.cer?

    Thank you!

  • A useful tip to solve my problem number 1 above, but also for everybody to save time, is to open the Certificate Stores of both hosts in the SAME mmc console, and use drag and drop (holding down CTRL to copy, not move) to take all the certificates to their final places.

    Just use the mouse to copy the Root certificates to the other server, and to copy the other Personal certificates WITH their private keys (you can see a little key on its icon) from one host to the other.

    Much easier this way, and avoids that pitfall about not being able to export with private key.

  • makecert is not included in the 8.1 SDK or WDK so use the 8.0 SDK: http://msdn.microsoft.com/en-US/windows/desktop/ff851942.

  • Hi, Great article! One question: How do you enable one certificate to be used by multiple primary servers? For example, there are three primary servers with one Replica Server. Do I need three SSL certificates? appreciate your help! /Dave