Link to home
Start Free TrialLog in
Avatar of cooperrd

asked on

Creating a self-signed certificate for hyper-v replication for servers in a workgroup

I have two win 2012 R2 servers in a workgroup both running hyper-v. I am trying to create a self-signed certificate to enable replication.  I have downloaded Makecert.exe (the win 8.1 version) and I am using the following command.

makecert -pe -n “CN=FirstRootCA” -ss root -sr LocalMachine -sky signature -r “FirstRootCA.cer”

I am receiving the following error:

Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597)

I have never been very good with certificates – so should I run the command exactly as it is written or should I substitute server name / workgroup (or something) for FirstRootCA and LocalMachine?

Also the next line to execute asks for FQDN1 – both serves are members of a workgroup – so what should be there?

The ADC is a VM and all of the VM’s are members of a domain (total of 8 VM’s).  I am following instructions as specified in the following post; 

 makecert -pe -n “CN=[FQDN1]” -ss my -sr LocalMachine -sky exchange -eku, -in “FirstRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 FirstServer.cer

Copy SecondRootCA.cer from Second Hyper-V

certutil -addstore -f Root “SecondRootCA.cer”

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cooperrd


Based on the link you provided it appears that I have to create a Primary DNS suffix. ( This helped a lot.

It also seems that I can purchase a cert and not have to create a self signed cert.  Is this correct?
I finally have replication working.  I ended up purchasing a Standard UCC SSL from godaddy.  I had a .net of the domain, this had to be done because you have to have a real domain extension to register a cert. now.  I added both server names.  Because my Hyper-v host are only running the Hyper-v role I had to create the cert request on a machine that had IIS on it.  Once I added the cert to that machine I exported it to a PFX file and then added it to the Hyper-v machines.  

You MUST edit the host file on the primary machine to include the IP and name of the secondary machine otherwise the primary hyper-v cannot  resolve the FQDN when you setup replication.

This blog post and the links within were very helpful. .  

In addition to replication – we are using Altaro Hyper-v Backup to create local and offsite backups of all VM’s.  This may seem like over kill, but we suffered a complete system failure on an SBS 2008 box and the client was down completely for 2 days and it took another 6 days to really get everything back online (50 users).  We had good backups – but unless you keep a spare server around for parts you are going to have extended downtime. I am getting to old for that kind of stress.

I know how hard it is today to get small businesses to spend what they really need on their IT budgets.  If they don’t there will be a price to pay.
Even though I did not use the self-signing cert – the links enabled me to resolve the problem