Avatar of cooperrd
cooperrd
 asked on

Creating a self-signed certificate for hyper-v replication for servers in a workgroup

I have two win 2012 R2 servers in a workgroup both running hyper-v. I am trying to create a self-signed certificate to enable replication.  I have downloaded Makecert.exe (the win 8.1 version) and I am using the following command.

makecert -pe -n “CN=FirstRootCA” -ss root -sr LocalMachine -sky signature -r “FirstRootCA.cer”

I am receiving the following error:

Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597)
Failed

I have never been very good with certificates – so should I run the command exactly as it is written or should I substitute server name / workgroup (or something) for FirstRootCA and LocalMachine?

Also the next line to execute asks for FQDN1 – both serves are members of a workgroup – so what should be there?

The ADC is a VM and all of the VM’s are members of a domain (total of 8 VM’s).  I am following instructions as specified in the following post;

http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication 

 makecert -pe -n “CN=[FQDN1]” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “FirstRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 FirstServer.cer

Copy SecondRootCA.cer from Second Hyper-V

certutil -addstore -f Root “SecondRootCA.cer”

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Microsoft Virtual ServerWindows Server 2012Hyper-V

Avatar of undefined
Last Comment
cooperrd

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
cooperrd

ASKER
Based on the link you provided it appears that I have to create a Primary DNS suffix. (http://blog.powerbiz.net.au/hyperv/how-to-set-up-hyper-v-replica-for-small-businesses) This helped a lot.

It also seems that I can purchase a cert and not have to create a self signed cert.  Is this correct?
cooperrd

ASKER
I finally have replication working.  I ended up purchasing a Standard UCC SSL from godaddy.  I had a .net of the domain, this had to be done because you have to have a real domain extension to register a cert. now.  I added both server names.  Because my Hyper-v host are only running the Hyper-v role I had to create the cert request on a machine that had IIS on it.  Once I added the cert to that machine I exported it to a PFX file and then added it to the Hyper-v machines.  

You MUST edit the host file on the primary machine to include the IP and name of the secondary machine otherwise the primary hyper-v cannot  resolve the FQDN when you setup replication.

This blog post and the links within were very helpful. http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication .  

In addition to replication – we are using Altaro Hyper-v Backup to create local and offsite backups of all VM’s.  This may seem like over kill, but we suffered a complete system failure on an SBS 2008 box and the client was down completely for 2 days and it took another 6 days to really get everything back online (50 users).  We had good backups – but unless you keep a spare server around for parts you are going to have extended downtime. I am getting to old for that kind of stress.

I know how hard it is today to get small businesses to spend what they really need on their IT budgets.  If they don’t there will be a price to pay.
cooperrd

ASKER
Even though I did not use the self-signing cert – the links enabled me to resolve the problem
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23