Look for the UTG here and on Appendix C you will find how to generate a self signed certificate. Although that is a lot of help, the real important part is the command you need to execute in order to have Hyper-V not check for the CRL of the certificate (revocation, etc that is provided when you use a CA).
- Create a Self Signed Certificate Authority (if that makes any sense):
makecert -pe -n “CN=PrimarySampleRootCA” -ss root -sr LocalMachine -sky signature -r “PrimarySampleRootCA.cer”
- Create a Self Signed Certificate using the CA crated above:
makecert -pe -n “CN=ServerName.domain.local” -ss my -sr LocalMachine -sky exchange -eku 18.104.22.168.22.214.171.124.1,126.96.36.199.188.8.131.52.2 -in “PrimarySampleRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 PrimarySampleCert.cer
- Do the same for the destination failover replica server (create a self signed CA and Certificate)
- Add the Self Signed CAs you created to the trusted roots of the servers that are going to connect to that host using this command:
certutil -addstore -f Root “PrimarySampleRootCA.cer”
- V. Disable the certificate revocation check in PowerShell:
reg add "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
- Validate using certutil
- After the certificate is installed, run the following command from the command prompt on both the primary and replica server:
certutil –store my
- At least one of the certificates in your output should resemble the following sample output such that the Encryption test (not just Signature) has passed.