cooperrd
asked on
Creating a self-signed certificate for hyper-v replication for servers in a workgroup
I have two win 2012 R2 servers in a workgroup both running hyper-v. I am trying to create a self-signed certificate to enable replication. I have downloaded Makecert.exe (the win 8.1 version) and I am using the following command.
makecert -pe -n “CN=FirstRootCA” -ss root -sr LocalMachine -sky signature -r “FirstRootCA.cer”
I am receiving the following error:
Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597)
Failed
I have never been very good with certificates – so should I run the command exactly as it is written or should I substitute server name / workgroup (or something) for FirstRootCA and LocalMachine?
Also the next line to execute asks for FQDN1 – both serves are members of a workgroup – so what should be there?
The ADC is a VM and all of the VM’s are members of a domain (total of 8 VM’s). I am following instructions as specified in the following post;
http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication
makecert -pe -n “CN=[FQDN1]” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1. 5.5.7.3.2 -in “FirstRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 FirstServer.cer
Copy SecondRootCA.cer from Second Hyper-V
certutil -addstore -f Root “SecondRootCA.cer”
reg add “HKLM\SOFTWARE\Microsoft\W indows NT\CurrentVersion\Virtuali zation\Rep lication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
makecert -pe -n “CN=FirstRootCA” -ss root -sr LocalMachine -sky signature -r “FirstRootCA.cer”
I am receiving the following error:
Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597)
Failed
I have never been very good with certificates – so should I run the command exactly as it is written or should I substitute server name / workgroup (or something) for FirstRootCA and LocalMachine?
Also the next line to execute asks for FQDN1 – both serves are members of a workgroup – so what should be there?
The ADC is a VM and all of the VM’s are members of a domain (total of 8 VM’s). I am following instructions as specified in the following post;
http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication
makecert -pe -n “CN=[FQDN1]” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.
Copy SecondRootCA.cer from Second Hyper-V
certutil -addstore -f Root “SecondRootCA.cer”
reg add “HKLM\SOFTWARE\Microsoft\W
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I finally have replication working. I ended up purchasing a Standard UCC SSL from godaddy. I had a .net of the domain, this had to be done because you have to have a real domain extension to register a cert. now. I added both server names. Because my Hyper-v host are only running the Hyper-v role I had to create the cert request on a machine that had IIS on it. Once I added the cert to that machine I exported it to a PFX file and then added it to the Hyper-v machines.
You MUST edit the host file on the primary machine to include the IP and name of the secondary machine otherwise the primary hyper-v cannot resolve the FQDN when you setup replication.
This blog post and the links within were very helpful. http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication .
In addition to replication – we are using Altaro Hyper-v Backup to create local and offsite backups of all VM’s. This may seem like over kill, but we suffered a complete system failure on an SBS 2008 box and the client was down completely for 2 days and it took another 6 days to really get everything back online (50 users). We had good backups – but unless you keep a spare server around for parts you are going to have extended downtime. I am getting to old for that kind of stress.
I know how hard it is today to get small businesses to spend what they really need on their IT budgets. If they don’t there will be a price to pay.
You MUST edit the host file on the primary machine to include the IP and name of the secondary machine otherwise the primary hyper-v cannot resolve the FQDN when you setup replication.
This blog post and the links within were very helpful. http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication .
In addition to replication – we are using Altaro Hyper-v Backup to create local and offsite backups of all VM’s. This may seem like over kill, but we suffered a complete system failure on an SBS 2008 box and the client was down completely for 2 days and it took another 6 days to really get everything back online (50 users). We had good backups – but unless you keep a spare server around for parts you are going to have extended downtime. I am getting to old for that kind of stress.
I know how hard it is today to get small businesses to spend what they really need on their IT budgets. If they don’t there will be a price to pay.
ASKER
Even though I did not use the self-signing cert – the links enabled me to resolve the problem
ASKER
It also seems that I can purchase a cert and not have to create a self signed cert. Is this correct?