Creating a self-signed certificate for hyper-v replication for servers in a workgroup

cooperrd
cooperrd used Ask the Experts™
on
I have two win 2012 R2 servers in a workgroup both running hyper-v. I am trying to create a self-signed certificate to enable replication.  I have downloaded Makecert.exe (the win 8.1 version) and I am using the following command.

makecert -pe -n “CN=FirstRootCA” -ss root -sr LocalMachine -sky signature -r “FirstRootCA.cer”

I am receiving the following error:

Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597)
Failed

I have never been very good with certificates – so should I run the command exactly as it is written or should I substitute server name / workgroup (or something) for FirstRootCA and LocalMachine?

Also the next line to execute asks for FQDN1 – both serves are members of a workgroup – so what should be there?

The ADC is a VM and all of the VM’s are members of a domain (total of 8 VM’s).  I am following instructions as specified in the following post;

http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication 

 makecert -pe -n “CN=[FQDN1]” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “FirstRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 FirstServer.cer

Copy SecondRootCA.cer from Second Hyper-V

certutil -addstore -f Root “SecondRootCA.cer”

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016
Commented:
in a workgroup the fqdn is just the servername
on server 1:  (replace server1 with the actual name)
makecert -pe -n “CN=SERVER1 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “FirstRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 FirstServer.cer

Open in new window

On the second machine
makecert -pe -n “CN=SERVER2 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “SecondRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12  SecondServer.cer

Open in new window

import FirstServer.cer to Server 2
import SecondServer.cer to Server 1
now you need to create a machine certificate that doesn't have the private key

create a batch file that has the commands that you need browse to the location of the batch file and then right click and run as administrator (very important)
A better walkthrough is here : http://blog.powerbiz.net.au/hyperv/hyper-v-replica-for-small-business/
Remember these commands are run on the host server and not the vm's

Author

Commented:
Based on the link you provided it appears that I have to create a Primary DNS suffix. (http://blog.powerbiz.net.au/hyperv/how-to-set-up-hyper-v-replica-for-small-businesses) This helped a lot.

It also seems that I can purchase a cert and not have to create a self signed cert.  Is this correct?

Author

Commented:
I finally have replication working.  I ended up purchasing a Standard UCC SSL from godaddy.  I had a .net of the domain, this had to be done because you have to have a real domain extension to register a cert. now.  I added both server names.  Because my Hyper-v host are only running the Hyper-v role I had to create the cert request on a machine that had IIS on it.  Once I added the cert to that machine I exported it to a PFX file and then added it to the Hyper-v machines.  

You MUST edit the host file on the primary machine to include the IP and name of the secondary machine otherwise the primary hyper-v cannot  resolve the FQDN when you setup replication.

This blog post and the links within were very helpful. http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication .  

In addition to replication – we are using Altaro Hyper-v Backup to create local and offsite backups of all VM’s.  This may seem like over kill, but we suffered a complete system failure on an SBS 2008 box and the client was down completely for 2 days and it took another 6 days to really get everything back online (50 users).  We had good backups – but unless you keep a spare server around for parts you are going to have extended downtime. I am getting to old for that kind of stress.

I know how hard it is today to get small businesses to spend what they really need on their IT budgets.  If they don’t there will be a price to pay.

Author

Commented:
Even though I did not use the self-signing cert – the links enabled me to resolve the problem

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial