Implementing Self-signed Certificates in Hyper-V Replica

On the Primary Server

  • Copy the makecert.exe utility locally.
  • Run the following elevated command to Create a self-signed root authority certificate

makecert -pe -n “CN=PrimaryTestRootCA” -ss root -sr LocalMachine -sky signature -r “PrimaryTestRootCA.cer”

The command installs a test certificate in the root store of the local machine and is saved as a file locally

  • Run the following elevated command to create a new certificate signed by the test root authority certificate

makecert -pe -n “CN=<FQDN>” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “PrimaryTestRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 PrimaryTestCert.cer

Where <FQDN> is the Primary Server FQDN

The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication

  On the Replica Server
  • Copy the makecert.exe locally
  • Run the following elevated command to Create a self-signed root authority certificate

makecert -pe -n “CN=RecoveryTestRootCA” -ss root -sr LocalMachine -sky signature -r “RecoveryTestRootCA.cer”

The command installs a test certificate in the root store of the local machine and is saved as a file locally.

  • Run the following elevated command to create a new certificate signed by the test root authority certificate

makecert -pe -n “CN=<FQDN>” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “RecoveryTestRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RecoveryTestCert.cer

Where <FQDN> is the Replica Server FQDN

The command installs a test certificate in the Personal store of the local machine and is saved as a file locally.  The certificate can be used for both Client and Server authentication.

Finishing Up

  • Copy “RecoveryTestRootCA.cer” from the Replica server to the Primary and import by running the following command elevated

certutil -addstore -f Root “RecoveryTestRootCA.cer”

  •  
  • Copy “PrimaryTestRootCA.cer” from the Primary server to the Replica and import by running the following command elevated

certutil -addstore -f Root “PrimaryTestRootCA.cer”

  •  
  • By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. Hence, both modify the following registry key on both the Primary and Replica servers to disable the CRL check

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

The above step (3) is applicable if the CRL is inaccessible in general.

 

Written by Marcos Nogueira

Marcos Nogueira

With more than 18 years experience in Datacenter Architectures, Marcos Nogueira is currently working as a Principal Cloud Solution Architect. He is an expert in Private and Hybrid Cloud, with a focus on Microsoft Azure, Virtualization and System Center. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents.

Marcos was a Canadian MVP in System Center Cloud & Datacenter Managenment and he has +14 years as Microsoft Certified, with more than 100+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private & Hybrid Cloud, Azure, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd/Ignite and communities events around the world.

One Reply to “Implementing Self-signed Certificates in Hyper-V Replica”

  1. Hi!
    Very helpfull !!!
    I have a question…Can I copy the “RecoveryTestRootCA.cer” file and paste it on the Primary server or am I supposed to do something for that ?
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *