hyper-v replication with certificate Authentication

 

Hyper-V Replication base on Certificate Authentication have great advantage in terms of security, kerberos Authentication base usually put the replication server in the same Domain as the hyper-v host server, Meaning you can access the replication server and have full access with the credential of the domain. In bad scenario like the spreading of ransom virus and such, the replication server can get damaged including the files of the VM’s and they can get encrypted as the VM’s are off and the file are not locked by the hyper-visor. There for, If you treat the replication server as kind of DR or backup server, it is safer not to put the replication server as domain member but to keep it on Workgroup or on different domain.

How to create Hyper-v replication with certificate Authentication :

First lets create a root self signed certificate. you will need the MakeCert tool and you can download it from Here .

Lets assume the host name is Hyper-v1 and the replication server name is Replica . create root certificate on Hyper-v1:

makecert -pe -n CN=Primaryhyperv1RootCA -ss root -sr LocalMachine -sky signature -r Primaryhyperv1RootCA.cer

Create certificate From the root with both server and client authentication (Enhance Key Usage=eku) and with 2 subject names hyper-v1 and Replica:

makecert.exe -pe -n "CN=Hyper-v1,CN=Replica" -ss my -sr LocalMachine -sky exchange -eku "1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2" -in Primaryhyperv1RootCa -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 hyper-v1.cer

The command will install the certificate in the Personal store of the machine and is saved as a file locally. The certificate can be used for both Client and Server authentication

Now, import the certificates (root and cert) to both servers so the certificate’s will be on both servers !

First export the certificate with the private key from the server you running on

The certificates can be viewed by running mmc ->File->Add/Remove Snap in…->Certificates->Add->”Computer Account”->Next->Finish->Ok

You will find the Personal certificate (with the machine names) and the Root certificate (Primaryhyperv1RootCA) in the highlighted folders:

clip_image002

Export the Hyper-v1 server certificate with the private key.

image

image

Then import it to the Replica server :

image

By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. To work around it, modify the following registry key on Hyper-v1 and Replica servers. Make sure that the script create right key and the value is set to 1:

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

By now you have the certificate installed on both Hyper-v server and you can select them when set the security

Capture17

Good Luck.

Leave a Reply

Your email address will not be published.