Information and announcements from Program Managers, Product Managers, Developers and Testers in the Microsoft Virtualization team.
We have had a number of queries on how to enable replication using certificates created from makecert. Though the Understanding and Troubleshooting guide for Hyper-V Replica discusses this aspect, I am posting a separate article on this. The below steps are applicable for a simple lab deployment consisting of two standalone servers – PrimaryServer.domain.com and ReplicaServer.domain.com. This can be easily extended to clustered deployments with the Hyper-V Replica Broker.
Makecert is a certificate creation tool which generates certificates for testing purpose. Information on makecert is available here - http://msdn.microsoft.com/en-us/library/bfsktky3.aspx.
1. Copy the makecert.exe tool to your primary server
2. Run the following command from an elevated command prompt, on the primary server. This command creates a self-signed root authority certificate. The command also installs a test certificate in the root store of the local machine and is saved as a file locally
makecert -pe -n "CN=MyTestRootCA" -ss root -sr LocalMachine -sky signature -r "MyTestRootCA.cer"
3. Run the following command couple of times, from an elevated command prompt to create new certificate(s) signed by the test root authority certificate
makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 126.96.36.199.188.8.131.52.1,184.108.40.206.220.127.116.11.2 -in "MyTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <MachineName>.cer
The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication
4. The certificates can be viewed by mmc->File->Add/Remove Snap in…->Certificates->Add->”Computer Account”->Next->Finish->Ok
You will find the Personal certificate (with the machine names) and the Root certificate (MyTestRootCA) in the highlighted folders:
5. Export the replica server certificate with the private key.
6. Copy MyTestRootCA.cer and the above exported certificate (RecoveryServer.pfx) to the Replica server.
7. Run the following command from an elevated prompt in ReplicaServer.domain.com
certutil -addstore -f Root "MyTestRootCA.cer"
8. Open the certificate mmc in ReplicaServer.domain.com and import the certificate (RecoveryServer.pfx) in the Personal store of the server. Provide the pfx file and password as input:
9. By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. To work around it, modify the following registry key on Primary, Replica Servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
To Dave's question - you can either use wildcard certificates or SAN (Subject Alt Name) certs. Both are supported by Hyper-V Replica.
How do we generate wildcard certificate using makecert.
Can you please a little walkthrough here?
Thank you very much.
In Step 3, give "CN=*.yourdomain.com" instead of FQDN.
Why domain? There are other things you can also specify in place of domain names. For example, netbios names, etc. I gave the NetBIOS names. Isn't it? Next is to import the same pfx to other primary servers.
Hi Dave, my previous response was specific to your query on wildcard certificates - *.yourdomain.com is one such way to achieve it. Depending on your machine names in your deployment, there could be other ways as well. If you give the NetBIOS name of one of the servers in step 3, I am not sure if it falls under the 'wildcard' bracket. Depends on how you have setup your environment. But yes, you are right, the wildcard cert pfx needs to be available in all the other primary servers.
Are these standalone servers on your primary site or are they clustered? As we mutually authenticate the connection as part of setting up the connection, few things need to fall into place to make the end to end scenario work. Do go thro' this link if you haven't done so already http://technet.microsoft.com/en-us/library/jj134153.aspx.