We have had a number of queries on how to enable replication using certificates created from makecert. Though the Understanding and Troubleshooting guide for Hyper-V Replica discusses this aspect, I am posting a separate article on this. The below steps are applicable for a simple lab deployment consisting of two standalone servers – PrimaryServer.domain.com and ReplicaServer.domain.com. This can be easily extended to clustered deployments with the Hyper-V Replica Broker.
Makecert is a certificate creation tool which generates certificates for testing purpose. Information on makecert is available here – http://msdn.microsoft.com/en-us/library/bfsktky3.aspx.
1. Copy the makecert.exe tool to your primary server
2. Run the following command from an elevated command prompt, on the primary server. This command creates a self-signed root authority certificate. The command also installs a test certificate in the root store of the local machine and is saved as a file locally
makecert -pe -n "CN=MyTestRootCA" -ss root -sr LocalMachine -sky signature -r "MyTestRootCA.cer"
3. Run the following command couple of times, from an elevated command prompt to create new certificate(s) signed by the test root authority certificate
makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "MyTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <MachineName>.cer
Each time:
- Replace <FQDN> with FQDN of primary, replica server(s) and Hyper-V Replica broker (if required, in a clustered deployment).
- Replace <MachineName>.cer with any name
The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication
4. The certificates can be viewed by mmc->File->Add/Remove Snap in…->Certificates->Add->”Computer Account”->Next->Finish->Ok
You will find the Personal certificate (with the machine names) and the Root certificate (MyTestRootCA) in the highlighted folders:
5. Export the replica server certificate with the private key.
 |
 |
6. Copy MyTestRootCA.cer and the above exported certificate (RecoveryServer.pfx) to the Replica server.
7. Run the following command from an elevated prompt in ReplicaServer.domain.com
certutil -addstore -f Root "MyTestRootCA.cer"
8. Open the certificate mmc in ReplicaServer.domain.com and import the certificate (RecoveryServer.pfx) in the Personal store of the server. Provide the pfx file and password as input:
9. In a clustered deployment, two certificates are required on each server:
- Certificate with the subject name set to the server’s FQDN
- Certificate with the subject name set to the Hyper-V Replica Broker’s FQDN. This is required as the Hyper-V Replica Broker is Highly Available and can migrate from one server to another.
10. By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. To work around it, modify the following registry key on Primary, Replica Servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Hi Dave, my previous response was specific to your query on wildcard certificates – *.yourdomain.com is one such way to achieve it. Depending on your machine names in your deployment, there could be other ways as well. If you give the NetBIOS name of one of the servers in step 3, I am not sure if it falls under the ‘wildcard’ bracket. Depends on how you have setup your environment. But yes, you are right, the wildcard cert pfx needs to be available in all the other primary servers.
Are these standalone servers on your primary site or are they clustered? As we mutually authenticate the connection as part of setting up the connection, few things need to fall into place to make the end to end scenario work. Do go thro’ this link if you haven’t done so already http://technet.microsoft.com/en-us/library/jj134153.aspx.
Majestik – can you please ensure that certutil is being run from the same folder in which the cer file is present. According to the error, it looks like the cer file is not found
Praveen
To Dave’s question – you can either use wildcard certificates or SAN (Subject Alt Name) certs. Both are supported by Hyper-V Replica.
Praveen
I posted instructions on this several months ago. I went to do the setup again and found I missed a few steps in the instructions. I tried to redo the instructions as best as possible step by step. I hope this is more detailed and more helpful for everyone.
1. Install Hyper-V role on both servers.
2. Name primary Hyper-V server “vmhost1” and leave as part of workgroup. Name the failover server “vmhost2” and also leave as part of a workgroup. IP does not matter, you must name the servers this or you will need to change the names in all of the following commands.
3. To make our own self signed certificates we must download and install the “Windows SDK Kit” for 2012 server. Install all components, restart server when computer. You must install this on both servers.
4. To use the “makecert” commands listed below, you must have an elevated DOS prompt open from where the Windows SDK is installed. Should be the following “C:program files (x86)windows kits8.0binx64
5. Once you have the DOS prompt open and the prompt is in the correct directory you can copy and paste the following commands into the DOS prompt.
As discussed I am sharing the steps we performed to configure the Hyper-V replication over SSL.
• Run the below mentioned command from an elevated command prompt on Vmhost1 to create a self-signed Primary root authority certificate:
makecert -pe -n “CN=PrimaryRootCA” -ss root -sr LocalMachine -sky signature -r “PrimaryRootCA.cer”
• Run the below mentioned command from an elevated command prompt on Vmhost1 to create a new certificate signed by the primary root authority certificate:
makecert -pe -n “CN=VMHost1” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “primaryRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 primaryCert.cer
• Run the below mentioned command from an elevated command prompt on Vmhost2 to create a self-signed Replica root authority certificate:
makecert -pe -n “CN=ReplicaRootCA” -ss root -sr LocalMachine -sky signature -r “ReplicaRootCA.cer”
• Run the below mentioned command from an elevated command prompt on Vmhost1 to create a new certificate signed by the primary root authority certificate:
makecert -pe -n “CN=VMHost2” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “primaryRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 replicaCert.cer
• Create the below mentioned keys on both the hyper-v hosts:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualizationFailoverReplication
REG_DWORD = DisableCertRevocationCheck with value 1
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualizationReplication
REG_DWORD = DisableCertRevocationCheck with value 1
Hi Lee,
1) For the first question "'Hyper-V Replica Broker REPBKR01' failed to start the network listener on destination node 'HVSERVER01': The certificate's CN name does not match the passed value. (0x800B010F). "
You will need a certificate generated for each server of your cluster and for the broker. Install the broker certificate in all the nodes of the cluster. As the error suggests, the certificate's subject name (Repbkr01) and the name provided for the broker do not match. When you created the broker, what is the name which was provided (Repbkr01 or Repbkr01.local or Repbkr01.local.domain?) – ensure that this name and the name provided as part of running Step 3 in this blog post match.
2) For the second question "Hyper-V failed to establish a connection with the Replica server 'REPBKR01.domain.local' on port '4000'. Error: The connection with the server was terminated abnormally (0x00002EFE)."
This is either an address resolution problem or a network connectivity problem. We would need to get past the network listener issue in question (1) above before resolving this.
Praveen
Continued.
6. Please make sure both keys are spelled correctly and have the correct path. Restart both servers.
7. Copy “PrimaryRootCA.cer” created in step1 to the VMhost2 & copy “ReplicaRootCA.cer” created in step 3 to VMHost1
8. Run the below mentioned command on Vmhost1
Certutil -addstore -f root “replicarootca.cer”
9. Run the below mentioned command on Vmhost2
certutil -addstore -f root “primaryrootca.cer”
10. Now we need to make sure all the certs are installed and viewable in the correct certificate store. Open a mmc console and add Certificates. Choose to add “computer” click next to finish. Under the “Personal Store” you should see the following certificates.
11. As of now you should not see both so we need to import them.
12. To import the correct certificate open HyperV manager. Click on HyperV settings and enable replication. Here click “Used Certificate based authentication”. Click “select certificate”, it should show a certificate, click install, choose to install as current user, the install again and choose to install as local computer. Make sure to install in both. If you receive an error here that it cannot find a valid certificate, then the certificate is not showing up in the personal store listed above. You cannot continue until you get the cert to show up in the correct store.
13. If you can click install and you receive another error stating the certificate cannot location the “revocation list” you did not make the correct registry changes. The registry changes prevent the CA from requiring the use of a revocation list. You must resolve this before continuing.
14. A Note, this step is where I ran into most of my issues. Either it will not find the revocation list or it will not be able to verify the thumbprint of the required certificate. If the latter is the case, you really need to make sure the certificate is listed under the personal store. To resolve this issue, I open the CA personal store mmc console on the Primary HyperV server. I right clicked on the VHHOST2 certificate and click “export”. Choose to export “WITH THE PRIVATE KEY” you must make a password to protect the private key. Once the file is exported, copy this certificate to the VMHOST2 server. Double click on the certificate, choose to install both as local user and local computer and save. You should now be able to go back into HyperV console on the failover server, click hyperV settings, then replication. Choose “use certificate based authentication” and “select certificate”. The HyperV server should now be able to read the private key assigned with the certificate.
15. Now hopefully Replication is enabled on both servers. If not the only issues I ran into were all related to the issue I went over in 12-14. If replication is enable on both servers you can now go to the primary server, open HyperV console, right click on the Virtual Server you wish to replicate, choose enable replication and go through the wizard. You will need to install the certificate one more time but it should find it on its own.
In Step 3, give “CN=*.yourdomain.com” instead of FQDN.
Praveen
Hi,
Great article!
One question:
How do you enable one certificate to be used by multiple primary servers? For example, there are three primary servers with one Replica Server. Do I need three SSL certificates?
appreciate your help!
/Dave
Thanks.
How do we generate wildcard certificate using makecert.
Can you please a little walkthrough here?
Thank you very much.
To Sass – maybe one of the servers (primary or replica) is unable to reach the revocation server? Are you able to access the revocation servers from both primary and recovery server(s)?
Praveen
makecert is not included in the 8.1 SDK or WDK so use the 8.0 SDK: http://msdn.microsoft.com/en-US/windows/desktop/ff851942.
Why domain? There are other things you can also specify in place of domain names. For example, netbios names, etc. I gave the NetBIOS names. Isn’t it? Next is to import the same pfx to other primary servers.
Thanks!
/Dave
When I enter this command, manual, with the changed settings, I get an error that there are too many parameters:
makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "MyTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <MachineName>.cer
The ONLY thing that works is if I delete everything after -sy 12. But even then, the second eku isn't embedded into the ticket.
Thoughts?
Nevermind — Figured it out. Turns out that you can't use power shell for this.
Hi,
I truly like to reading your post. Thank you so much for taking the time to share such a nice information. I'll definitely add this great post in my article section.
<a href="http://www.certificate-attestation.in/certificate-authentication.html">Certificate Authentication
</a>
Hi,
Thanks for this great post, keep it up! However, I'm stuck at step 7.. My servers are returning the following error:
root "Trusted Root Certifivation Authorities"
DecodeFile returned
The System cannot find the file specified.
0x80070002 <win32: 2>
CertUtil: -addstore command FAILED 0x8007002 <WIN32: 2>
CertUtil: The system cannot find the file specified.
I hope you have a solution for this!
Hi, I am going from a standalone server to a cluster – via a broker – and source and target servers are in different domains / forests. I believe I have generated the certificates correctly and have all firewall rules and routing configured correctly but I keep getting this error:
'Hyper-V Replica Broker REPBKR01' failed to start the network listener on destination node 'HVSERVER01': The certificate's CN name does not match the passed value. (0x800B010F). Please look at the event log on destination node for more details.
Any suggestions?
So I can now replicate from the cluster to the stand alone server but still not the other way (needed to add host file entry for standalone server on all cluster nodes). This proves my certificates are fine but something is wrong at the cluster / broker side. I also tried replicating using port 4000 and get the same error:
'Hyper-V Replica Broker REPBKR01' failed to start the network listener on destination node 'HVSERVER01': The certificate's CN name does not match the passed value. (0x800B010F). Please look at the event log on destination node for more details.
Appreciate any suggestions.
Oh and the error on the client side – standalone server – is:
Hyper-V failed to establish a connection with the Replica server 'REPBKR01.domain.local' on port '4000'. Error: The connection with the server was terminated abnormally (0x00002EFE).
I used these instructions provided to me by a Microsoft technician to setup certificated based authentication between two 2012 servers running the Hyper-V role. Both 2012 servers were only part of a workgroup. I spent days on this issue before i opened the case. I could never get the commands to run on my own I continued to get "file not found" errors. I hope this is helpful and saves times for all!
As discussed I am sharing the steps we performed to configure the Hyper-V replication over SSL.
• Run the below mentioned command from an elevated command prompt on Vmhost1 to create a self-signed Primary root authority certificate:
makecert -pe -n "CN=PrimaryRootCA" -ss root -sr LocalMachine -sky signature -r "PrimaryRootCA.cer"
• Run the below mentioned command from an elevated command prompt on Vmhost1 to create a new certificate signed by the primary root authority certificate:
makecert -pe -n "CN=VMHost1" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "primaryRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 primaryCert.cer
• Run the below mentioned command from an elevated command prompt on Vmhost2 to create a self-signed Replica root authority certificate:
makecert -pe -n "CN=ReplicaRootCA" -ss root -sr LocalMachine -sky signature -r "ReplicaRootCA.cer"
• Run the below mentioned command from an elevated command prompt on Vmhost1 to create a new certificate signed by the primary root authority certificate:
makecert -pe -n "CN=VMHost2" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "primaryRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 replicaCert.cer
• Create the below mentioned keys on both the hyper-v hosts:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualizationFailoverReplication
REG_DWORD = DisableCertRevocationCheck with value 1
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualizationReplication
REG_DWORD = DisableCertRevocationCheck with value 1
• Copy “PrimaryRootCA.cer” created in step1 to the VMhost2 & copy “ReplicaRootCA.cer” created in step 3 to VMHost1
• Run the below mentioned command on Vmhost1
Certutil -addstore -f root "replicarootca.cer"
• Run the below mentioned command on Vmhost2
certutil -addstore -f root "primaryrootca.cer"
• After that configure the Hyper-V replication selecting the appropriate certificate.
Thx AlexS_Tech
i followed your comment and everything works fine from the first Time.
great Post.
Koen
Hi Praveen,
Just to get my concepts right: when enabling replication of a VM from PrimaryServer to ReplicaServer, which certificate should we be using? The one from PrimaryServer.cer or the one from ReplicaServer.cer?
Thank you!
A useful tip to solve my problem number 1 above, but also for everybody to save time, is to open the Certificate Stores of both hosts in the SAME mmc console, and use drag and drop (holding down CTRL to copy, not move) to take all the certificates to their final places.
Just use the mouse to copy the Root certificates to the other server, and to copy the other Personal certificates WITH their private keys (you can see a little key on its icon) from one host to the other.
Much easier this way, and avoids that pitfall about not being able to export with private key.
I get the “The revocation function was unable to check revocation because the revocation server was offline.(0x80092013).” error while trying to setup the certificate-based authentication. The “certutil -verify -urlfetch c:TestExportDest1.cer” command has no problem issuing the “Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.” output so the certificate looks good, and I AM able to browse the CDP mentioned on the certificate and manually download the CLR and Delta, which means that the server is indeed online.
what would the problem be then? I have no problem providing you the actual certificate I am trying to install on both servers.
FYI: I didn’t use certutil and actually used the certificate service to generate the Certificates. the EKUs are OK and the root CA is indeed imported already as well as the cert itself. there are multiple CDPs on the certificate, only 1 of which is valid over the internet, which works on a weird port (my only suspicion so far).
Enabling Hyper-V between two workgroup servers requires issu …
‘Hyper-V Replica Broker hypervbk01’ failed to start the network listener on destination node ‘HYPERV027’: Cannot find object or property. (0x80092004). Please look at the event log on destination node for more details.
Absolutely perfect, thank you so much. Simple to follow, worked first time.
The initial instructions of AlexN_Tech somehow do not lead to a valid registered certificate on the receiving server.
His later solution to export and import the certificate is a bit hidden in windows 2012 R2; the certificates right-click menu item is called "All Tasks". It has been quite a struggle to get a working workgroup replicaserver (without domain), mostly because
certificate creation was new to me. but thanks to these contributions on Internet the server-set is up- and running now. This client has a maximum possible data-loss of less than six minutes now instead of 24 hours using 2 inexpensive servers and 2 physical
100m seperate office locations with 1Gbit UTP cable.
No valid Certificate found after I fallowed AlexS_Tech
I’ve used this post a few times, thanks for taking the time to create this. It’s been a great help.
Thank You! Very Helpful and I appreciate your taking the time to write this blog post.
The way to do it with New-SelfSignedCertificate cmdlet using PowerShell 5.0 instead of MakeCert tool – http://blog.fedenko.info/2016/06/hyper-v-replica-with-self-signed.html