Note to self – Hyper-V Replication Certificates

After quite a bit of frustration (lots of 0x00002f8f errors) with attempts to get Certificate based Hyper-V replication to work, the below should configure Self-Signed certs to work for Hyper-V. You will need Makecert.exe  – Google it, it is obtainable as part of the Windows software development kit I think.

1-Create CA Cert on Source replication server

2-Create Client Cert on Source replication server

3-Add Cert to Hyper-V Replication settings.

4-Export Client cert as PFX

5-Install PFX on Destination Server

Repeat steps above  if replication is going to go the other way also (it will be most likely) All Clients must contain other Clients cert, Alterantivly use a wild card on all Clients

 

1-Create CA Cert

makecert.exe -pe -n “CN=MyLocalCA” -ss root -sr LocalMachine -sky signature -r “MyLocalCA.cer”

2-Create Client Cert (2 examples)

makecert.exe -pe -n “CN= RepBkr01.lab.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “MyLocalCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RepBkr01.lab.local.cer

makecert.exe -pe -n “CN=RepBkr02.lab.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “MyLocalCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RepBkr02.lab.local.cer

OR Create a wildcard cert and install on all servers.

makecert.exe -pe -n “CN=*.lab.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “MyLocalCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 wildcard.lab.local.cer

 

3-Hyper-V manager-> “Hyper-V Settings” -> “Replication Configuration”-> “Select Certificate” -> Select the cert just created.

4-Go to Certificate manager (mmc.exe -> add snapin Certificate manager) and export the Client Cert from personal store to disk (inc Private key, + extended properties), copy to Destination server.

5-On Destination server, double click on Cert and install for Local machine.

You Should now be able to enable replication using these certificates.

Troubleshooting

Makecert.exe gives “Fail to acquire a security provider from the issuer’s certificate” – why?

Because the first command to create MyLocalCA below has not be run on the host you are trying create a Client cert on..

RUN BOTH CA and Client Cert commands on a Source host.

Error 0x00002f8f means that you haven’t got all certs on each cert. If using a wildcard, all servers must contain the same wildcard cert.

You May also have to disable the Cert Revocation check for the Cert if Hyper-V complains, if so add these to your Registry

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Advertisements
Note to self – Hyper-V Replication Certificates

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s