Home | Troubleshooting |  Quick Setup  |  Cisco How to  |  Data Recovery  |  Forums   | Blog | IT Exam Practice | Services  | About Us | Chicagotech MVP  | Search  | Contact Us  |               Select a Topic VPN How To Network How To Remote Access How To Windows How To Internet How To New Topics    Laptop for rent: $35 per day plus $10 for additional day

How to create Self-signed Certificates for Hyper-V Replica  - Step by step with screenshots 

Before we start, we need to download Makecert.exe from Microsoft website.

On the Windows Server 2012 A (Primary Server)
1. Open command line with administrator right.

2. Run this command to Create a self-signed root authority certificate

makecert -pe -n "CN=PrimaryTestRootCA" -ss root -sr LocalMachine -sky signature -r "PrimaryTestRootCA.cer"

Note: The PrimaryTestRootCA.cer will be copied to C:\Windows\system32  or  C:\Windows\sysWOW64 depending

 on the OS.

3. Run this command to create a new certificate signed by the test root authority certificate

makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "PrimaryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 PrimaryTestCert.cer

Replace <FQDN> with the Windows Server A FQDN, for example

makecert -pe -n "CN=win2012a.chicagotech.local" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "PrimaryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 PrimaryTestCert.cer

4. Verify the certificate has been created on the Certificate Local Computer (both Personal and Trusted Root Certification).

On the Windows Server B (Recovery or Replica Server)
1. Run command line with administrator rights.
2. Run this command to Create a self-signed root authority certificate

makecert -pe -n "CN=RecoveryTestRootCA" -ss root -sr LocalMachine -sky signature -r "RecoveryTestRootCA.cer"

3. Run this command to create a new certificate signed by the test root authority certificate

makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "RecoveryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 RecoveryTestCert.cer

Replace <FQDN> with the Windows Server B FQDN, for example,

makecert -pe -n "CN=win2012b.chicagotech.local" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "RecoveryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 RecoveryTestCert.cer
 

Finishing Up

1. Copy "RecoveryTestRootCA.cer" (Located in C:\Windows\system32  or  C:\Windows\sysWOW64) from the Replica server to the Primary and import by running the following command elevated

certutil -addstore -f Root "RecoveryTestRootCA.cer"

2. Copy "PrimaryTestRootCA.cer" from the Primary server to the Replica and import by running the following command elevated

certutil -addstore -f Root "PrimaryTestRootCA.cer"

1.       3. By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. Hence, both modify the following registry key on both the Primary and Replica servers to disable the CRL check

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics