Information and announcements from Program Managers, Product Managers, Developers and Testers in the Microsoft Virtualization team.
We have had a number of queries on how to enable replication using certificates created from makecert. Though the Understanding and Troubleshooting guide for Hyper-V Replica discusses this aspect, I am posting a separate article on this. The below steps are applicable for a simple lab deployment consisting of two standalone servers – PrimaryServer.domain.com and ReplicaServer.domain.com. This can be easily extended to clustered deployments with the Hyper-V Replica Broker.
Makecert is a certificate creation tool which generates certificates for testing purpose. Information on makecert is available here - http://msdn.microsoft.com/en-us/library/bfsktky3.aspx.
1. Copy the makecert.exe tool to your primary server
2. Run the following command from an elevated command prompt, on the primary server. This command creates a self-signed root authority certificate. The command also installs a test certificate in the root store of the local machine and is saved as a file locally
makecert -pe -n "CN=MyTestRootCA" -ss root -sr LocalMachine -sky signature -r "MyTestRootCA.cer"
3. Run the following command couple of times, from an elevated command prompt to create new certificate(s) signed by the test root authority certificate
makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "MyTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <MachineName>.cer
Each time:
The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication
4. The certificates can be viewed by mmc->File->Add/Remove Snap in…->Certificates->Add->”Computer Account”->Next->Finish->Ok
You will find the Personal certificate (with the machine names) and the Root certificate (MyTestRootCA) in the highlighted folders:
5. Export the replica server certificate with the private key.
6. Copy MyTestRootCA.cer and the above exported certificate (RecoveryServer.pfx) to the Replica server.
7. Run the following command from an elevated prompt in ReplicaServer.domain.com
certutil -addstore -f Root "MyTestRootCA.cer"
8. Open the certificate mmc in ReplicaServer.domain.com and import the certificate (RecoveryServer.pfx) in the Personal store of the server. Provide the pfx file and password as input:
9. By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. To work around it, modify the following registry key on Primary, Replica Servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
When I enter this command, manual, with the changed settings, I get an error that there are too many parameters:
The ONLY thing that works is if I delete everything after -sy 12. But even then, the second eku isn't embedded into the ticket.
Thoughts?
Nevermind -- Figured it out. Turns out that you can't use power shell for this.
Hi,
I truly like to reading your post. Thank you so much for taking the time to share such a nice information. I'll definitely add this great post in my article section.
<a href="www.certificate-attestation.in/certificate-authentication.html">Certificate Authentication
</a>
Thanks for this great post, keep it up! However, I'm stuck at step 7.. My servers are returning the following error:
root "Trusted Root Certifivation Authorities"
DecodeFile returned
The System cannot find the file specified.
0x80070002 <win32: 2>
CertUtil: -addstore command FAILED 0x8007002 <WIN32: 2>
CertUtil: The system cannot find the file specified.
I hope you have a solution for this!
Majestik - can you please ensure that certutil is being run from the same folder in which the cer file is present. According to the error, it looks like the cer file is not found
Praveen
Hi, I am going from a standalone server to a cluster - via a broker - and source and target servers are in different domains / forests. I believe I have generated the certificates correctly and have all firewall rules and routing configured correctly but I keep getting this error:
'Hyper-V Replica Broker REPBKR01' failed to start the network listener on destination node 'HVSERVER01': The certificate's CN name does not match the passed value. (0x800B010F). Please look at the event log on destination node for more details.
Any suggestions?
So I can now replicate from the cluster to the stand alone server but still not the other way (needed to add host file entry for standalone server on all cluster nodes). This proves my certificates are fine but something is wrong at the cluster / broker side. I also tried replicating using port 4000 and get the same error:
Appreciate any suggestions.
Oh and the error on the client side - standalone server - is:
Hyper-V failed to establish a connection with the Replica server 'REPBKR01.domain.local' on port '4000'. Error: The connection with the server was terminated abnormally (0x00002EFE).