Pre requirements

Test Environment

Our Test environment has two servers without a domain that mean we will use a basic Workgroup setup for this HowTo (if the two servers will be part of the domain a replica with SSL setup you could leave out Step 5).

Our setup looks like the following:

  • Hyper-V Host 1 [VMH01] (Primary)
  • Hyper-V Host 2 [VMH02] (Secondary)

1. Creation of the root certificate

In the first step we will create a root certificate that both servers can use.

Run the following command on our primary Host VMH01 to create a self-signed root certificate.

makecert -pe -n "cn=TestHyperVRootCA" -ss root -sr localmachine -sky signature -r "TestHyperVRootCA.cer"

The command will install in the certificate into the root store of the local machine and saves the file locally.

2. Creation of Host certificates singed with our root certificate

Now we will create our Hyper-V Hosts (VMH01, VHM02) certificates and signing them with our previously created root certificate.

Please Replace with FQDN of Hyper-V Hosts machines e.g. VMH01, VMH02.

Run the following command to create a certificate signed by root certificate for the Host: VMH01:

makecert -pe -n "cn=<FQDN>" -ss my -sr localmachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "TestHyperVRootCA" -is root -ir localmachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 VMH01Cert.cer

Run the following command to create a certificate signed by root certificate for the Host: VMH02:

makecert -pe -n "cn=<FQDN>" -ss my -sr localmachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "TestHyperVRootCA" -is root -ir localmachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 VMH02Cert.cer

The previously executed commands will install two certificates into the Personal store of the local machine and saves the file locally. The created certificates can be used for both Client & Server authentications.

3. Export of our certificates to the secondary Host

Open the mmc certificate Snap-In (Local Computer) on our primary Host VMH01 and export the certificate (with Private Key) that has been generated for VMH02 (see screens below).

4. Setup certificates on secondary Host VMH02

Copy TestHyperVRootCA.cer and the above exported certificate (VMH02.pfx) to our secondary Host VMH02.

Run the following command from an elevated prompt on the secondary Host to import the self-singed root certificate:

certutil -addstore -f Root "TestHyperVRootCA.cer"

Open the mmc certificate Snap-In (Local Computer) on our secondary Host VMH02 and import the certificate (VMH02.pfx) in the Personal store of the server (see screen below).

5. Revocation of self-signed certificates

Please note by default a certificate revocation check is mandatory and self-signed certificates don’t support revocation checks on Windows Server 2012.

Please modify the registry key on both machines (primary and secondary) to disable the check:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication\

Set the Value for DisableCertRevocationCheck to 1 (disabled).

Keep in mind that maybe a reboot of the System is required!

5. Publicize servers in the workgroup network via windows hosts

To ensure that our servers find each other in a non-domains setup, we need to make some small changes hosts file of the respective hosts. This will be necessary cause Replica only work with FQDN entries.

To ensure that our servers could find each other in a non-domain setup, we need to make some small modifications on the server’s hosts because replica will only work with FQDN entries.

6. Hyper-V Sample configuration for replication with certificate-based authentication