After quite a bit of frustration (lots of 0x00002f8f errors) with attempts to get Certificate based Hyper-V replication to work, the below should configure Self-Signed certs to work for Hyper-V. You will need Makecert.exe – Google it, it is obtainable as part of the Windows software development kit I think.
1-Create CA Cert on Source replication server
2-Create Client Cert on Source replication server
3-Add Cert to Hyper-V Replication settings.
4-Export Client cert as PFX
5-Install PFX on Destination Server
Repeat steps above if replication is going to go the other way also (it will be most likely)
1-Create CA Cert
makecert.exe -pe -n “CN=MyLocalCA” -ss root -sr LocalMachine -sky signature -r “MyLocalCA.cer”
2-Create Client Cert (2 examples)
makecert.exe -pe -n “CN= RepBkr01.lab.local” -ss my -sr LocalMachine -sky exchange -eku 220.127.116.11.18.104.22.168.1,22.214.171.124.126.96.36.199.2 -in “MyLocalCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RepBkr01.lab.local.cer
makecert.exe -pe -n “CN=RepBkr02.lab.local” -ss my -sr LocalMachine -sky exchange -eku 188.8.131.52.184.108.40.206.1,220.127.116.11.18.104.22.168.2 -in “MyLocalCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RepBkr02.lab.local.cer
3-Hyper-V manager-> “Hyper-V Settings” -> “Replication Configuration”-> “Select Certificate” -> Select the cert just created.
4-Go to Certificate manager (mmc.exe -> add snapin Certificate manager) and export the Client Cert from personal store to disk (inc Private key, + extended properties), copy to Destination server.
5-On Destination server, double click on Cert and install for Local machine.
You Should now be able to enable replication using these certificates.
Makecert.exe gives “Fail to acquire a security provider from the issuer’s certificate” – why?
Because the first command to create MyLocalCA below has not be run on the host you are trying create a Client cert on..
RUN BOTH CA and Client Cert commands on a Source host.
You May also have to disable the Cert Revocation check for the Cert if Hyper-V complains, if so add these to your Registry
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f