Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 830
  • Last Modified:

Hyper-V Replica Self Signed cert authentication on different domains

I want to enable replication from a Hyper-V server to another Hyper-V server at the datacenter.  But the two  Hyper-V servers are not part of the same AD network.   I've been looking into some articles.   But I'm still a little confused.  The server at the datacenter is already receiving replication from a Hyper-V on the same AD network.   No problem here.

Do I need a SAN certificate that will have all domains listed?

Thanks
0
quadrumane
Asked:
quadrumane
  • 2
  • 2
3 Solutions
 
David Johnson, CD, MVPOwnerCommented:
you have to create the certificate on each machine and import the other servers self-signed certificate.

Since Self Signed certificates don't have a revocation url and Hyper-V replica checks for revocation you have to do the following on both servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Open in new window


Complete walkthrough is available at http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx
0
 
Svet PaperovIT ManagerCommented:
Microsoft documentation says that the certificate must be an X.509v3 certificate for which Enhanced Key Usage (EKU) supports both Client Authentication and Server Authentication.

Creating self-signed certificate on both primary and replica servers is relatively easy process. Follow the instructions here: http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx and http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication/

When using self-signed certificates, you will have to export the public certificates and import them on respective servers.

Each certificate must have the FQDN of the server as Subject Name, or it can be a wildcard certificate. No, you don’t need to put both domains in each certificate – just the local server’s FQDN like primary.domain1.com for the Primary server and replica.domain2.com for the Replica. http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx

If you have a Root CA on Windows Server 2012 Datacenter it also can be used to generate the certificates. The best solution will be using a public CA as for web server certificate but since the certificates will be used to authenticate private communication, a issuing them from a public CA is not required.
0
 
quadrumaneAuthor Commented:
Thank you for the enlightenment.  I have a better understanding.  Two last questions.  

1 - In my understanding if many source servers from different domains are replicated on the Replica server only the certificate created locally (from the replica server) will be selected in Hyper-V settings/Replica configuration.    But if each certificate from each Hyper-V source server is exported and imported in the Hyper-V replica server it can't work as only one certificate can be selected in Hyper-V.  

2 - If I use a public (digicert) ssl certificate on the Replica server do I still need to export self signed certificate from the Hyper-V source servers?

Thank again
0
 
Svet PaperovIT ManagerCommented:
Q1:
It will work because, in Hyper-V replica, you select the local certificate and not the public certificates exported from the primary servers. Here how PKI works in general: the source server identifies itself with its (private) certificate on the target server; the target server checks the certificate chain until it finds the fingerprints of the (public) certificate of the issuer (the name of the issuer is included in the certificate).

In the case of Hyper-V replica, both primary and replica server authenticate each other in that way. Don’t forget that on the replica server, you still can lock down the allowed primary servers by “Allow Replication From The Specified Servers”.

Q2:
If you are using self-signed certificate on the primary server, yes, its public certificate must be exported and imported on the replica server. However, if publicly-signed certificate is used its certificate chain already exists in Windows Server. I would recommend using publicly-signed on the primary server as well.
0
 
quadrumaneAuthor Commented:
Thanks for the explanations.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now