Note to self – Hyper-V Replication Certificates

After quite a bit of frustration (lots of 0x00002f8f errors) with attempts to get Certificate based Hyper-V replication to work, the below should configure Self-Signed certs to work for Hyper-V. You will need Makecert.exe  – Google it, it is obtainable as part of the Windows software development kit I think.

1-Create CA Cert on Source replication server

2-Create Client Cert on Source replication server

3-Add Cert to Hyper-V Replication settings.

4-Export Client cert as PFX

5-Install PFX on Destination Server

Repeat steps above  if replication is going to go the other way also (it will be most likely)

 

1-Create CA Cert

makecert.exe -pe -n “CN=MyLocalCA” -ss root -sr LocalMachine -sky signature -r “MyLocalCA.cer”

2-Create Client Cert (2 examples)

makecert.exe -pe -n “CN= RepBkr01.lab.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “MyLocalCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RepBkr01.lab.local.cer

makecert.exe -pe -n “CN=RepBkr02.lab.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “MyLocalCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 RepBkr02.lab.local.cer

3-Hyper-V manager-> “Hyper-V Settings” -> “Replication Configuration”-> “Select Certificate” -> Select the cert just created.

4-Go to Certificate manager (mmc.exe -> add snapin Certificate manager) and export the Client Cert from personal store to disk (inc Private key, + extended properties), copy to Destination server.

5-On Destination server, double click on Cert and install for Local machine.

You Should now be able to enable replication using these certificates.

Troubleshooting

Makecert.exe gives “Fail to acquire a security provider from the issuer’s certificate” – why?

Because the first command to create MyLocalCA below has not be run on the host you are trying create a Client cert on..

RUN BOTH CA and Client Cert commands on a Source host.

 

You May also have to disable the Cert Revocation check for the Cert if Hyper-V complains, if so add these to your Registry

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Note to self – Hyper-V Replication Certificates