Article – Setting up Windows Azure Recovery Services – Backup Vault after reinstalling Windows Server 2012 R2 while using your existing Public Certificate from your CA Provider….

When reinstalling Windows Server 2012 R2 on bare metal I wanted to use the existing certificate I purchased from GO DADDY.  When setting up the Windows Azure Recovery Services from scratch the existing certificate was deleted out of Azure storage. When I set up the Windows Azure Recovery Services again I used my existing Public Cert from GO DADDY.  The only problem is that the CSR and cert for the newly installed Windows Server needed to be RE-KEYED.    So when you want to set up your certificate again, go to your provider and re-key the certificate to work with your fresh installation of Windows Server 2012 R2.

Remember for Windows Azure Recovery Services your SSL cert needs to be -

  • The certificate must contain a private key.

  • The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.  You will get the .CRT from GO DADDY and then covert to .CER to install locally on your server and and upload to Windows Azure.

  • The certificate's subject name must match the domain used to access the cloud service. You cannot obtain an SSL certificate from a certificate authority (CA) for the cloudapp.net domain. You must acquire a custom domain name to use when access your service. When you request a certificate from a CA the certificate's subject name must match the custom domain name used to access your application. For example, if your custom domain name is contoso.com you would request a certificate from your CA for *.contoso.com or www.contoso.com.  In my case I use GO DADDY.

  • The certificate must use a minimum of 2048-bit encryption

  • MUST NOT BE OLDER THAN 3 YEARS or the upload will fail for Azure.  

     

    First, if you reinstall your server and have the Windows Azure Recovery Services Backup Vault already there you can Allow-Registration of your server and cert.

     image 

    image

    You will see some info that says -

    Are you sure you want to allow re-registration for 'BLAINSVR01.'?

    When you allow re-registration, the 'BLAINSVR01.' server will be allowed to register again with the backup vault 'Blainsbackup'. Allow re-registration only if certificate issues exist on the server or if you rebuilt the server. If you want to access previously created recovery points, make sure that you register the server with the same backup vault

    image

    This is the easy way, but if this is not an option then proceed with a RE-KEY.

     

    Below is some information that might help when you need to RE-KEY your cert.
    Log into your GO DADDY account -

  • Go to your products and select SSL Certificates, if you have one.

    If not, purchase and create a new one -

      image

    Click on Launch to see your SSL Certificates

    image

    Select your certificate

     

    image

      Click Re-key,

    image

    Go to your Windows Server 2012 R2 and Create Certificate Request within IIS Server Certificates or CA -

     

    image

    Fill out the appropriate Distinguished Name Properties information, you have to fill it all out before you can continue.

     

    image

    Click Next, select Microsoft RSA SChannel Cryptographic Provider and make sure you select 2048

     

    image

    Click Next and save the .TXT file to be cut and pasted into the GO DADDY CSR list -

    image

    Copy and paste your server information into the GO DADDY CSR entry box -

    image

    Paste and click RE-KEY and your SSL Certificate is now ready to go for your new server and Windows Azure Recovery Services

    image

    I then revoked the previous cert which takes about 24 hours within the GO DADDY portal.

     

    image

    Once you go back to the Vault Identification when Registering my Server, the cert becomes available,

     

    Capture1

    Select your Backup Vault

    Capture2

    Set your Encryption Setting and location to save your paraphrase

    Capture3

    Your Server is now registered 

    capture4

    You can now backup to the cloud between Windows Azure Recovery Services Backup Vault and your Windows Server 2012 R2 bare metal box on your local prem.

    Capture5

    Other steps for importing the cert and getting the Windows Azure Recovery Services going refer to a previous article I wrote on setting up Windows Azure Recovery Services.

    https://blogs.technet.com/b/blainbar/archive/2013/11/15/windows-server-2012-r2-with-windows-azure-backup-vault-using-a-public-certificate-from-the-commercial-ca-go-daddy.aspx

     

    Hope this helps!