Configuring a Certificate for Virtual Machine Connection in Hyper-V or thru SCVMM:

Configuring a Certificate for Virtual Machine Connection in Hyper-V or thru SCVMM:

Replacing the self-signed certificate used by HYPER-V /SCVMM, with a certificate issued using an Internal Enterprise Certificate Authority.

Windows Server 2008, Windows Server 2008 R2

clip_image001Tip

These procedures are intended for advanced users; required steps include editing the registry. You should perform these steps only if the default behavior of Hyper-V does not meet the needs or policies of your environment.

One security issue that Hyper-V was designed to address is better protection against “man in the middle” attacks (sometimes referred to as MITM). Use of trusted certificates can help protect against MITM attacks. When you use the Virtual Machine Connection tool or a custom application that uses Remote Desktop Protocol (RDP) ActiveX controls, Hyper-V uses a single-port listener that utilizes trusted certificates for server authentication. (This does not occur when you use the Remote Desktop Connection client, because it does not use the single port listener.) As explained later in this topic, under certain circumstances Hyper-V issues a self-signed certificate that is then used for server authentication. As an alternative to this approach, you can configure Hyper-V to use a different certificate, such as one issued by a certification authority (CA).

clip_image001[1]Tip

During a MITM attack, a malicious party listens and intercepts communication between two parties, then injects information into the communication stream, without the knowledge of the two communicating parties. This information triggers some action that amounts to a security breach.

1:

Certificate requirements and selection

Hyper-V Virtual Machine Management Service (VMMS) requires that a certificate meet all of the following criteria to be considered a valid certificate. The certificate must have:

  • A valid certificate chain, which is connected to a trusted root certificate
  • A “Subject Name” that matches the FQDN of the machine
  • A purpose of “Server Authentication”
  • The certificate has to have a Specific Extention else it will not be used by the Hyper–v service.

[Extensions]
1.3.6.1.4.1.311.62.1.1.1 = AgEE

  • A private key file that includes ‘read’ access for the Virtual Machine group security ID (SID).

When VMMS starts, Hyper-V searches for an existing, valid certificate to prepare for future communication requests. If one is not found, Hyper-V generates a self-signed certificate in the VMMS certificate store. The search for a certificate occurs as follows:

1. First, Hyper-V checks the registry for the thumbprint value of a certificate, under \HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization\AuthCertificateHash. Hyper-V uses this value to try to locate a matching certificate.

2. If no matching, valid certificate is found, Hyper-V checks the certificate store of the computer.

3. If no valid certificate is found in the certificate store of the computer, Hyper-V checks the VMMS certificate store, under Hyper-V Virtual Machine Management Service (VMMS).

4. If the VMMS certificate store does not contain a certificate that is valid for use with Hyper-V, VMMS generates a self-signed certificate in its service certificate store.

2:

Configuring your CA server and obtaining a valid certificate for use with SCVMM.

Note: The VMMS service requires two critical certificates Extension Fields These are:

Field= “Key Usage” Value = “Key Encipherment, Data Encipherment (30)”

Field= “1.3.6.1.4.1.311.62.1.1.1 Value = “02 01 04”

Make sure the usage of the certs contain Key Encipherment and Data Encipherment (30)

Here is how we can get the said “Field” (1.3.6.1.4.1.311.62.1.1.1) in the certificate with the value 02 01 04 using certreq.

Note: We assume you have an Enterprise CA.

· Create a duplicate v2 template (Windows Server 2003) based on “WebServer”, e.g. Web Server 2003 Export. 

Execute below set of commands on the certificate server to allow for the Extensions needed.

· Certutil -setreg policy\EnableRequestExtensionList +1.3.6.1.4.1.311.62.1.1.1

· Net stop certsvc

· Net start certsvc.

· On the duplicated v2 certificate template based on “WebServer”, that we were using please make sure the Subject name tab is set to “Supply in the Request”.

Increase the "Validity Period" from General tab and ensure that you have the Allow exporting of the Private key is enabled.

· The please copy the below test  to a Request.inf file changing the subject name from test to the name of the server:

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=test"

KeySpec = 1

KeyLength = 1024

Exportable = TRUE

MachineKeySet = TRUE

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"

[Strings]

szOID_ENHANCED_KEY_USAGE = "2.5.29.37"

szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"

szOID_CUSTOM = "1.3.6.1.4.1.311.62.1.1.1"

[Extensions]

%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"

%szOID_CUSTOM% = "{hex} 02 01 04"

· Once you save the Request.inf execute below command. (from the same directory you copied the file to)

o Certreq –new request.inf request.req ( this will convert the certificate to the correct format )

o Then please copy the content of the request.req file to the certificate request page and submit the certificate to be issued.

clip_image002

o Launch the Certificate in Machine context – select the installed Cert and export with the private key,

o Launch the Certificate in hyper-V service context – import the private key we exported above.

More information https://technet.microsoft.com/en-us/library/cc740063(WS.10).aspx

Then please proceed with the rest of the actions to ensure that you disable self-signing VMMS certificate and set the certificate to be used.

3:

Deploying a certificate issued by a CA

If you do not want to use a self-signed certificate, you can obtain a certificate issued by a certification authority (CA) and then deploy that certificate to use with Hyper-V. The following steps assume that you have obtained a certificate from a CA and stored it in the certificate store of the computer account of the server running Hyper-V.

To deploy a certificate issued by a CA

1. Prevent Hyper-V from generating a self-signed certificate by adding a registry key.

a. Open Windows PowerShell.

b. Run the following command:
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization" /v "DisableSelfSignedCertificateGeneration" /f /t REG_QWORD /d 1

clip_image003Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

2. Check the VMMS certificate store for a self-signed certificate and delete it if it exists.

a. Open the Certificates snap-in.

i. Open Microsoft Management Console. Click Start, click Run, type mmc, and then click OK.

ii. Under the File menu, click Add/Remove Snap-in.

iii. Under Available snap-ins, click Certificates.

iv. Click Service account, and then click Next.

v. Click Local computer and then click Next.

vi. In the Service account list, select Hyper-V Virtual Machine Management and then click Finish.

b. In the navigation pane, expand Certificates. Expand vmms\Personal and then click the Certificates folder.

c. In the details pane (center pane), right-click the certificate and click Delete.

d. Expand vmms\Trusted Root Certification Authorities and click Certificates. Find the copy of the certificate that you deleted in the previous step and delete it from this folder.

e. Close the Certificates snap-in.

3. Find the thumbprint value of new certificate that you want to deploy.

a. Open the Certificates snap-in again to load the certificate store of the computer. Select Computer account, and then complete the wizard to load the certificate store.

b. In the Details pane, double-click the certificate and then click the Details tab.

c. Select Thumbprint. If it does not appear in the list, set Show to <All> .

d. In the text box below the list, copy the hexadecimal value.

e. Paste the string into a text file for use later in this procedure.

4. Open or switch back to Windows PowerShell.

5. Find the private key file of the certificate.

a. Copy the following string and replace thumbprint_value with the string value you copied in the previous step.

the correct command is $certs = dir cert:\ `` - `` recurse | ? { $_.Thumbprint -eq "thumbprint_value" }.

b. Run the command.

c. Run the following command to obtain a certificate object:
$cert = @($certs)[0]

d. Run the following command to obtain the private key file name of the certificate:
$location = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

6. Run the following commands in the order shown to modify the access control list (ACL) so that the Virtual Machine group security identifier has read access. Text in quotes in the following commands represents literal values, not placeholder text, and should be included as shown in the command strings.

$folderlocation = gc env:ALLUSERSPROFILE

$folderlocation = $folderlocation + "\Microsoft\Crypto\RSA\MachineKeys\"

$filelocation = $folderlocation + $location

icacls $filelocation /grant "*S-1-5-83-0:(R)"

7. Verify that the Virtual Machine group has read access to the certificate.

a. Switch back to the Certificates snap-in to view the certificate store of the computer account.

b. In the Details pane, right-click the certificate, click All Tasks, and then click Manage Private Keys.

c. Under Group or user names, select Virtual Machines.

d. Under Permissions for Virtual Machines, verify that Read is set to Allow.

8. Run the following commands to set the registry key to the hash value of the certificate:

$thumbprint = $cert.Thumbprint

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization" /v "AuthCertificateHash" /f /t REG_BINARY /d $thumbprint

9. If the version of Hyper-V is earlier than the one included in Windows Server 2008 R2, perform the following steps:

a. Run the following commands:
Net stop vmms
Net start vmms

b. Switch to or open Hyper-V Manager. Save the state of each running virtual machine and then restore each one.

Some notes about Hyper-V 

1)    The Hyper-V management service (VMMS) will automatically create its own local-host based Security Certificate if one does not exist that is currently valid.

2)    VMMS will delete any key that is expired from its local Certificate Store.

Best Regards

Hugo Ferreira