Implementing Self-signed Certificates in Hyper-V Replica

On the Primary Server

  • Copy the makecert.exe utility locally.
  • Run the following elevated command to Create a self-signed root authority certificate

makecert -pe -n “CN=PrimaryTestRootCA” -ss root -sr LocalMachine -sky signature -r “PrimaryTestRootCA.cer”

The command installs a test certificate in the root store of the local machine and is saved as a file locally

  • Run the following elevated command to create a new certificate signed by the test root authority certificate

makecert -pe -n “CN=<FQDN>” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “PrimaryTestRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 PrimaryTestCert.cer

Where <FQDN> is the Primary Server FQDN

The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication

  On the Replica Server
  • Copy the makecert.exe locally
  • Run the following elevated command to Create a self-signed root authority certificate

makecert -pe -n “CN=RecoveryTestRootCA” -ss root -sr LocalMachine -sky signature -r “RecoveryTestRootCA.cer”

The command installs a test certificate in the root store of the local machine and is saved as a file locally.

  • Run the following elevated command to create a new certificate signed by the test root authority certificate

makecert -pe -n “CN=<FQDN>” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “RecoveryTestRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RecoveryTestCert.cer

Where <FQDN> is the Replica Server FQDN

The command installs a test certificate in the Personal store of the local machine and is saved as a file locally.  The certificate can be used for both Client and Server authentication.

Finishing Up

  • Copy “RecoveryTestRootCA.cer” from the Replica server to the Primary and import by running the following command elevated

certutil -addstore -f Root “RecoveryTestRootCA.cer”

  •  
  • Copy “PrimaryTestRootCA.cer” from the Primary server to the Replica and import by running the following command elevated

certutil -addstore -f Root “PrimaryTestRootCA.cer”

  •  
  • By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. Hence, both modify the following registry key on both the Primary and Replica servers to disable the CRL check

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

The above step (3) is applicable if the CRL is inaccessible in general.

 

Marcos Nogueira

With more than 18 years experience in Datacenter Architectures, Marcos Nogueira is currently working as a Principal Cloud Solution Architect. He is an expert in Private and Hybrid Cloud, with a focus on Microsoft Azure, Virtualization and System Center. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents. Marcos was a Canadian MVP in System Center Cloud & Datacenter Managenment and he has +14 years as Microsoft Certified, with more than 100+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private & Hybrid Cloud, Azure, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd/Ignite and communities events around the world.

One Reply to “Implementing Self-signed Certificates in Hyper-V Replica”

  1. Hi!
    Very helpfull !!!
    I have a question…Can I copy the “RecoveryTestRootCA.cer” file and paste it on the Primary server or am I supposed to do something for that ?
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *