End to End - Hyper-V Replica with Self-Signed Certs

Tags: Certificates, Hyper-V, Replication, Workgroup, Untrusted Domains, PowerShell

You have a number of Hyper-V hosts which are either members of untrusted domains or are in workgroups, and you want to enable Hyper-V Replica for VMs on those hosts. You may not have an internal CA hierarchy; you may want to use certificates with much longer lifetimes. Microsoft supports Self-Signed certificates for Hyper-V Replica, but some of the instructions are a little out of date and others are either hard to find or missing entirely.

Here are the basic steps you'll need to complete:

  1. Create a new Root CA certificate using PowerShell - New-SelfSignedCertificate
  2. Create certificates for each Hyper-V Server using PowerShell - New-SelfSignedCertificate
  3. Export the certificates and keys from the management station
  4. Import the certificates and keys to each Hyper-V server
  5. Disable Revocation Checks for Hyper-V Replica
  6. Configure the Replica settings for the Hyper-V Host

Create a Root Certificate

Hyper-V Replica requires that the certificates used for replication are not self signed - they don't necessarily need to be publicly issued (and nowadays that could be impossible if your internal domain name is a .local or similar). This means you'll need to start with at least 2 levels - a root CA certificate and the Hyper-V host certificates.

To generate the root CA certificate, use PowerShell - note that this requires you use Windows 10 or Windows Server 2016, as some of the parameters for New-SelfSignedCertificate weren't available in Server 2012 R2.

New-SelfSignedCertificate
    -DnsName "HV Replica Root CA"
    -CertStoreLocation Cert:\LocalMachine\My
    -KeyLength 4096
    -Hash SHA256
    -KeyFriendlyName "HV Replica Root CA"
    -FriendlyName "HV Replica Root CA"
    -NotAfter "2117-12-31 23:59:59"
    -NotBefore "2017-01-01 00:00:00"
    -KeyUsage CertSign,CRLSign,DigitalSignature

Many of the above parameter values are examples; your own policies and choices might dictate what you can use for Names, Dates, Key Lengths etc. However you must ensure you include the CertSign and CRLSign Key Usages, as otherwise the certificate chain will be invalid. I also recommend strongly that you use SHA256 and at least a 4096 bit key.

Create a Hyper-V Host Certificate

Your Hyper-V host certificates will need to be signed by your Root Certificate. They'll also need the Client Authentication and Server Authentication purposes - this is the default. If you do some of the steps out of order you can see errors from Hyper-V Manager complaining about the purpose of the certificate - in my experience, this is a poor error (it was actually that certificate revocation couldn't be checked).

Since we built the root CA certificate on Server 2016, we'll do the same with the Host certificates, in this example for HOST1 in the internaldomain.local AD Domain:

$RootCert = ( Get-ChildItem Cert:\LocalMachine\My | Where -Prop Subject -eq "CN=HV Replica Root CA" )

New-SelfSignedCertificate

    -DnsName "HOST1.example.com","HOST1.internaldomain.local","HOST1"
    -CertStoreLocation Cert:\LocalMachine\My
    -KeyLength 4096
    -Hash SHA256
    -KeyFriendlyName "HOST1 HV Replication"
    -FriendlyName "HOST1 HV Replication"
    -NotAfter "2027-12-31 23:59:59"
    -NotBefore "2017-01-01 00:00:00"
-Signer $RootCert

Note that the Subject in the first line matches up with the DnsName you used for the Root CA in step 1.

Also note that the example uses much shorter certificate lifetimes (10 years instead of 100) and that the DnsName is a list of names - all the DNS and short names that refer to this server. You could also add the IP address but it's of limited use.

Export the Certificates

Now that you've created the certificates, you'll need to export them from your management workstation so they can be imported on each Hyper-V Host. You can do this with the MMC, if you prefer (you'll want to ensure that you export with the private key, and include all certificates in the certificate chain).

We'll export using PowerShell, to C:\Certificates\HOST1.pfx. Note that you can select any existing path and adjust the PowerShell code; and you'll be prompted for a password, so paste carefully:

$HostCert = ( Get-ChildItem Cert:\LocalMachine\My | Where -Prop Subject -eq "CN=HOST1.example.com" )
$Password
= Read-Host "Enter a Password for the PFX Private Key" -AsSecureString

Export-PfxCertificate
-FilePath
C:\Certificates\HOST1.pfx
-Certificate $HostCert
-ChainOption BuildPath
-Password $Password

You can go ahead and copy the (password-protected) PFX to your target Hyper-V host now.

Import the Certificate and Key

You'll need to import the certificates and private key to your target server. The PFX actually contains three parts:

  • The Public portion of your host certificate
  • The Private portion of your host certificate
  • The Public portion of your root certificate

When prompted, you'll need to provide the password during import:

$Password = Read-Host "Enter the Password for the PFX Private Key" -AsSecureString

Import-PfxCertificate
-FilePath
C:\Certificates\HOST1.pfx
-CertStoreLocation "Cert:\LocalMachine\My"
-Password $Password

You will now see all certificates from the chain in the Local Machine \ Personal store - and you'll want to move the root CA certificate to the Trusted Root Certificate Authorities store:

$RootCert = ( Get-ChildItem Cert:\LocalMachine\My | Where -Prop Subject -eq "CN=HV Replica Root CA" )

Push-Location
Set-Location
"Cert:\LocalMachine\My"
Move-Item $RootCert.Thumbprint "Cert:\LocalMachine\Root"
Pop-Location

Disable Revocation Checks for Hyper-V Replication

By default Hyper-V will check each certificate for its revocation status. Unfortunately, this is doomed to fail with our self signed certificates; they do not contain URLs for CRLs, OCSP, or even AIA.

Well they couldn't really, most of those need real CAs to work.

So we disable revocation checks for Hyper-V services. This should not affect checks for other certificates or services.

Push-Location

Set-Location
"Registry::HKLM"

Set-ItemProperty

-Path "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication"
-Name DisableCertRevocationCheck
-Value 1
-Type DWord

Set-ItemProperty
-Path "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication"
-Name DisableCertRevocationCheck
-Value 1
-Type DWord

Pop-Location

These settings take affect immediately.

Configure Hyper-V Replication

All the pieces should now be in place to configure Hyper-V Replica.

$HostCert = ( Get-ChildItem Cert:\LocalMachine\My | Where -Prop Subject -eq "CN=HOST1.example.com" )

Set-VMReplicationServer
-AllowedAuthenticationType
Certificate
-CertificateAuthenticationPort
443
-CertificateThumbprint
$HostCert.Thumbprint
-DefaultStorageLocation
"D:\"
-ReplicationEnabled
$True

Again, you will need to adjust parameters to suit your own environment (e.g. do you really want the Hyper-V Replicas to be placed in D:\?)

No Comments

Add a Comment