June 26, 2016

Hyper-V Replica with self-signed certificates

I have two standalone non-domain joined Hyper-V servers - HV01 and HV02. I need to configure Hyper-V replica between them. Many blog post and guides provide syntax for MakeCert tool. Interesting thing is that MakeCert is deprecated and it is recommended to use New-SelfSignedCertificate cmdlet instead. Of course it is great but there are some limitations of this cmdlet in PowerShell 4.0. Actually there is huge difference between New-SelfSignedCertificate cmdlet in PowerShell 4.0 and 5.0. I will create self-signed certificate using new cmdlet that's why I use Windows 10 with PowerShell 5.0. The name of Windows 10 workstation will be ADMIN01.


1. Go to ADMIN01 and generate root certificate. It will be used to sign certificates for HV01 and HV02. Sure you can use -NotAfter setting to specify certificate expiration date but this property was omitted here:

New-SelfSignedCertificate -Type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=www.fedenko.info" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "Signature" -KeyUsage "CertSign"

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB  CN=www.fedenko.info

2. Create and sign certificates for HV01 and HV02. Make sure that you specify thumbprint of certificate above. 

New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=HV01" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=HV02" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

As result you will see 3 certificates in Local Computer certification store.








3. Export certificates and copy to Hyper-V servers:
On HV01/02 click export - Yes, export the private key - Next (Unselect Include all certificates in the certification path if possible. We will copy root certificate manually) - Specify the password and click Next - Specify path location and click Next - Complete the certificate export wizard by clicking Finish.



















Repeat the same for HV02 certificate. Then export root certificate (www.fedenko.info in my case). With root certificate there is no need to export private key. 



















4. Import certificates to the Hyper-V servers. HV01/02 into personal store of Local Computer on each server respectively. And Root certificate into Trusted Root Certification Authorities store. Check the certificate status afterward.













5. Last trick with Certificate Revocation Lists. On each Hyper-V server add the following registry key:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

6. Once all certificates are imported on servers Hyper-V Replica can be configured. 











On second server PowerShell script can be used to achieve the same configuration as above. 

PS C:\> Get-ChildItem Cert:LocalMachine\My | fl Subject,Thumbprint

Subject    : CN=HV02
Thumbprint : A03A46DE4085F7EE53D5B3451363AE0B73328F43

Set-VMReplicationServer –ReplicationEnabled $true -AllowedAuthenticationType Certificate -CertificateThumbprint "A03A46DE4085F7EE53D5B3451363AE0B73328F43" –ReplicationAllowedFromAnyServer $true –DefaultStorageLocation "D:\Hyper-V\Virtual Hard Disks"

7. Then enable Replication on VM level. 


28 comments:

  1. AWESOME, searched for hours trying to solve error 0x80092007

    Thanks!!!

    ReplyDelete
  2. Great work sir! wish this post was somewhat more visible on internet.

    ReplyDelete
  3. Very handy, thanks a lot! Best and fastest way. Was very helpful.

    ReplyDelete
  4. Excellent article, exactly what I was looking for replicating from 2012 r2 to 2016 across VPN.

    ReplyDelete
  5. if ur using Hyper-V free server, u cant import via remote mmc cert to localmachine\my
    user there is script: 1 - password for cert's

    $mypwd = ConvertTo-SecureString -String "1" -Force –AsPlainText
    Import-PfxCertificate –FilePath C:\cert\HV01.pfx cert:\localMachine\my -Password $mypwd
    Import-PfxCertificate –FilePath C:\cert\HV02.pfx cert:\localMachine\my -Password $mypwd

    ReplyDelete
  6. By default, the keys are generated with SHA1 hash algorithm which is deprecated. To fix that, you can add -HashAlgorithm "SHA256"

    ReplyDelete
  7. Great instructions.... I did know how to set this up on Server 2012 but thanks to you I can now use Server 2016.

    Thank You!

    ReplyDelete
  8. I had tons of problems with the differences between Fully-qualified domain names, and simple computer names. My certificate would only show on HyperV if it had the FQDN, but would only work to start replication (from powershell) if it had a simple computer name! I ended up using this command:

    New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -DnsName "HV01", "HV01.somedomain.com" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\D99D4A0F988A78CE87A3A73470C1541236CDFD41" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

    That DnsName parameter will put TWO valid names into the certificate, which makes Hyper-V accept it when before, it wouldn't. (The first DnsName provided will also be used automatically as the CN name).

    Even so, I had another problem when creating the VM replication, it would give error 0x00002EFE "failed to establish connection". I solved this by going into the command-line:

    Enable-VMReplication -VMName "Suite CRM Ubuntu" -AuthenticationType Certificate -CertificateThumbprint "145F7835E57D068BFE3FB120D99D7E0864F30825" -ReplicaServerName "HV02" -ReplicaServerPort 443

    The issue was, again, a problem with FQDN's, but this time, the other way around! The Hyper-V GUI always changes your replica server name to add domain name. From the command-line I was able to use only the simple name... after that first step, I can configure all the rest on the Hyper-V Manager.

    Finally, a tip for your tutorial: there are TWO registry entries needed on your step 5, you're missing the one for failover:

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

    Anyway, your tutorial was the only thing that got me going on the free Hyper-V Server 2016! Thanks a lot!

    ReplyDelete
  9. Couple questions for remote site replication:

    1) What syntax must the hostname be for each remote site (ie. no VPN connection between the two). Is it just a matter of port forwarding to the internal Hyper-V host on each side of the router/firewall?

    2) In response to user 'Pgr' above which certificate thumbprint must be used in order to enable replication?

    I do wish this certificate creation were a little easier, lots of post comment input going on so I'm not sure how valid the OP's post is.

    ReplyDelete
  10. Thank you so much. I've spent hours trying get it to work. Your guide got me up and running very quickly. Thanks again. Andre

    ReplyDelete
  11. Hello,
    Hello,

    thank you very much for this tip.

    By default, expiration time is one year. Is it possible to level up this delay?

    ReplyDelete
    Replies
    1. Hello,
      For example try to add "-NotAfter (Get-Date).AddMonths(24)" parameter to New-SelfSignedCertificate cmdlet to generate a certificate, which expires in 2 years.

      Delete
  12. This looks a much easier process than I have seen elsewhere, I plan to try it in the next day or so. But, I'm confused with the solution Pgr has offered.

    Enable-VMReplication -VMName "Suite CRM Ubuntu" -AuthenticationType Certificate -CertificateThumbprint "145F7835E57D068BFE3FB120D99D7E0864F30825" -ReplicaServerName "HV02" -ReplicaServerPort 443

    Presumably we need to substitute "Suite CRM Ubuntu" with our own virtual machine name? But I have 5 VM's I want to replicate, do I run this command for each VM?. And replace the thumbprint with which thumbprint?

    ReplyDelete
    Replies
    1. Yes, you are right replace the name and repeat for each VM. Thumbprint of host certificate where you are setting up the replication.

      Delete
  13. HI nice article, but I can't get it to work. I'm using ps version 5.0
    -Type "Custom" -KeyExportPolicy "Exportable" -Subject fields are not found by ps, and are not options as such..windows 2012 with framework 5 installed that gives me PS version 5.
    any ideas?

    ReplyDelete
    Replies
    1. What output do you get when you run "Get-Host | select version" ?

      Delete
  14. thanks for the quick reply!
    get-host | select version
    Version
    -------
    5.0.10586.117

    ReplyDelete
    Replies
    1. Unfortunately, WMF doesn't upgrade cmdlets in PKI module. It is required to use Windows 10 or Windows Server 2016.

      Delete