How to create Self-Signed Certificates for Hyper-V Replication

Here is the quick and simple lowdown on how to create Self-Signed SSL Certificates for use in Hyper-V Replication. There is a great article on Technet which gives more background into this process – http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx

You will need Makecert.EXE which can be found from http://msdn.microsoft.com/en-us/library/bfsktky3.aspx or here – http://msdn.microsoft.com/en-us/library/windows/desktop/aa386968(v=vs.85).aspx

On the First Server, in an elevated command prompt.

  1. Run makecert -pe -n “CN=FirstRootCA” -ss root -sr LocalMachine -sky signature -r “FirstRootCA.cer”
  2. Run makecert -pe -n “CN=[FQDN1]” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “FirstRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 FirstServer.cer
  3. Copy SecondRootCA.cer from Second Hyper-V
  4. Run certutil -addstore -f Root “SecondRootCA.cer”
  5. Run reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

On the Second Server, in an elevated command prompt.

  1. Run makecert -pe -n “CN=SecondRootCA” -ss root -sr LocalMachine -sky signature -r “SecondRootCA.cer”
  2. Run makecert -pe -n “CN=[FQDN2]” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “SecondRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 SecondServer.cer
  3. Copy FirstRootCA.cer from First Hyper-V
  4. Run certutil -addstore -f Root “FirstRootCA.cer”
  5. Run reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Then you can use these certificates in Hyper-V replication. The steps to setting this up can be found here – http://blog.powerbiz.net.au/hyperv/hyper-v-replica-for-small-business/

9 thoughts on “How to create Self-Signed Certificates for Hyper-V Replication”

  1. Did anyone had problems with self signed cert’s in configuration where replication originate from server 2012 with Exchange 2013 on it to Hyper-V server free 2012. Using CredSS.

  2. Pingback: Gregory Smith
  3. The command below fails with “Error: Too many parameters”

    I have manually entered the command, not copy and paste

    any ideas?

    makecert -pe -n “CN=itm02.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “SecondRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 SecondServer.cer

  4. use the below and this work for me
    makecert -pe -n “CN=” -ss my -sky exchange -in “FirstRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 .cer

Leave a Reply to adam Cancel reply

Your email address will not be published. Required fields are marked *

Solve the Equation to continue * Time limit is exhausted. Please reload CAPTCHA.