The certificate requirements for Hyper-V Replica were discussed earlier – this post provides details on how to request a certificate from a Certification Authority (CA), which can then be used for Hyper-V Replica for certificate based authentication.
Step #1: Create an INF file
Copy-paste the text below to a .inf file which specifies the settings for the certificate request. Modify the Subject attribute to the server name (FQDN if applicable).
Save the above file as HVR.inf.
Step #2: Create a request
Issue the following command from an elevated command prompt, to create a certificate request from an .inf file.
A request file with the name HVR.req is created in the same directory.
Step #3: Submit the request
There are three possible outcomes here:
- Submit the certificate request to an internal CA
- Submit the certificate request using the following command
- The –config switch can be used (with certreq) to direct the request to a specific CA. In the above command, this is “corpca1.fabrikam.com\Corporate Policy CA1”.
- Ensure that RPC traffic is allowed between the computer requesting the certificate and the CA.
- It is assumed that the root CA certificate is already installed in the Trusted Root Certification Authorities store of the local computer
- (OR) Submit the certificate request to an external CA
- Many external CAs take a Certificate Signing Request (CSR) block which contains information about your organization name, domain name etc. To get the CSR block from the req file, issue the following command:
Open the csr file in notepad and send the contents to your external CA through the preferred medium (mail/web page upload) as dictated by your CA. A sample csr file (which I have manually edited) would look as follows:
Step #4: Finishing up…
Once the certificate is issued, issue the following command to install the certificate
This command imports the certificate into the appropriate store.
- In a clustered configuration, ensure that the certificate with the Hyper-V Replica Broker’s CAP name is installed on all the nodes of the cluster.
- Wildcard certificate: If you wish to deploy wildcard certificates, modify the subject attribute in the INF file to indicate the wildcard (eg: *.department.contoso.com) and follow the same steps as mentioned earlier
- SAN certificate: If you wish to deploy Subject Alternate Name certificates, use the following INF file and follow the same steps as mentioned earlier.
- After the certificate is installed, run the following command from the command prompt on both the primary and replica server:
At least one of the certificates in your output should resemble the following sample output such that the Encryption test (not just Signature) has passed.