Implementing Self-signed Certificates in Hyper-V Replica

On the Primary Server

Copy the makecert.exe utility locally.
Run the following elevated command to Create a self-signed root authority certificate
```
makecert _**_-pe -n "CN=PrimaryTestRootCA" -ss root -sr LocalMachine -sky signature -r "PrimaryTestRootCA.cer"
```
The command installs a test certificate in the root store of the local machine and is saved as a file locally

Run the following elevated command to create a new certificate signed by the test root authority certificate

makecert _**_-pe -n "CN=<_**_FQDN_**_>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "PrimaryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 PrimaryTestCert.cer

Where **__** is the Primary Server FQDN

The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication

On the Replica Server

Copy the makecert.exe locally
Run the following elevated command to Create a self-signed root authority certificate
```
makecert_**_ -pe -n "CN=RecoveryTestRootCA" -ss root -sr LocalMachine -sky signature -r "RecoveryTestRootCA.cer"
```
The command installs a test certificate in the root store of the local machine and is saved as a file locally.

Run the following elevated command to create a new certificate signed by the test root authority certificate

makecert_**_ -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "RecoveryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 RecoveryTestCert.cer

Where is the Replica Server FQDN

The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication.

Finishing Up

Copy “RecoveryTestRootCA.cer” from the Replica server to the Primary and import by running the following command elevated
```
certutil -addstore -f Root "RecoveryTestRootCA.cer"
```
Copy “PrimaryTestRootCA.cer” from the Primary server to the Replica and import by running the following command elevated
```
certutil -addstore -f Root "PrimaryTestRootCA.cer"
```
By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. Hence, both modify the following registry key on both the Primary and Replica servers to disable the CRL check
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
```
The above step (3) is applicable if the CRL is inaccessible in general.

Cheers,

Marcos Nogueira azurecentric.com Twitter: @mdnoga

About Marcos Nogueira

With more than 25 years of experience in Infrastructure & Application Architecture, Marcos Nogueira is currently a Principal Cloud Solution Architect. He is an expert in Public and Hybrid Cloud, focusing on Security, Cloud Migration, Cloud Innovation and Cloud Automation. His experience includes Microsoft technologies such as Azure IaaS & PaaS, AKS, Defender & Sentinel and Cloud Adoption Framework; Marcos is always looking to improve ways to automate. Marcos is an MVP in Azure, and he has +20 years of Microsoft Certified, with over 175+ certifications. He also enjoys motor racing, photography and travelling in his free time.

Implementing Self-signed Certificates in Hyper-V Replica

On the Primary Server

On the Replica Server

Finishing Up

About Marcos Nogueira

Comments

Read Next

“Share nothing” Live Migration with Hyper-V 2012

Enabling the Firewall rules in the Hyper-V Replica Server

On the Primary Server

**On the Replica Server**

Finishing Up

About Marcos Nogueira

Comments

Subscribe to Azure Centric newsletter

Read Next

On the Replica Server