When reinstalling Windows Server 2012 R2 on bare metal I wanted to use the existing certificate I purchased from GO DADDY. When setting up the Windows Azure Recovery Services from scratch the existing certificate was deleted out of Azure storage. When I set up the Windows Azure Recovery Services again I used my existing Public Cert from GO DADDY. The only problem is that the CSR and cert for the newly installed Windows Server needed to be RE-KEYED. So when you want to set up your certificate again, go to your provider and re-key the certificate to work with your fresh installation of Windows Server 2012 R2.
Remember for Windows Azure Recovery Services your SSL cert needs to be -
- The certificate must contain a private key.
- The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file. You will get the .CRT from GO DADDY and then covert to .CER to install locally on your server and and upload to Windows Azure.
- The certificate's subject name must match the domain used to access the cloud service. You cannot obtain an SSL certificate from a certificate authority (CA) for the cloudapp.net domain. You must acquire a custom domain name to use when access your service. When you request a certificate from a CA the certificate's subject name must match the custom domain name used to access your application. For example, if your custom domain name is contoso.com you would request a certificate from your CA for *.contoso.com or www.contoso.com. In my case I use GO DADDY.
- The certificate must use a minimum of 2048-bit encryption
- MUST NOT BE OLDER THAN 3 YEARS or the upload will fail for Azure.
First, if you reinstall your server and have the Windows Azure Recovery Services Backup Vault already there you can Allow-Registration of your server and cert.
You will see some info that says -
Are you sure you want to allow re-registration for 'BLAINSVR01.'?
When you allow re-registration, the 'BLAINSVR01.' server will be allowed to register again with the backup vault 'Blainsbackup'. Allow re-registration only if certificate issues exist on the server or if you rebuilt the server. If you want to access previously created recovery points, make sure that you register the server with the same backup vault
This is the easy way, but if this is not an option then proceed with a RE-KEY.
Below is some information that might help when you need to RE-KEY your cert.
Log into your GO DADDY account -
Go to your products and select SSL Certificates, if you have one.
If not, purchase and create a new one -
Click on Launch to see your SSL Certificates
Select your certificate
Go to your Windows Server 2012 R2 and Create Certificate Request within IIS Server Certificates or CA -
Fill out the appropriate Distinguished Name Properties information, you have to fill it all out before you can continue.
Click Next, select Microsoft RSA SChannel Cryptographic Provider and make sure you select 2048
Click Next and save the .TXT file to be cut and pasted into the GO DADDY CSR list -
Copy and paste your server information into the GO DADDY CSR entry box -
Paste and click RE-KEY and your SSL Certificate is now ready to go for your new server and Windows Azure Recovery Services
I then revoked the previous cert which takes about 24 hours within the GO DADDY portal.
Once you go back to the Vault Identification when Registering my Server, the cert becomes available,
Select your Backup Vault
Set your Encryption Setting and location to save your paraphrase
Your Server is now registered
You can now backup to the cloud between Windows Azure Recovery Services Backup Vault and your Windows Server 2012 R2 bare metal box on your local prem.
Other steps for importing the cert and getting the Windows Azure Recovery Services going refer to a previous article I wrote on setting up Windows Azure Recovery Services.
Hope this helps!