Look for the UTG here and on Appendix C you will find how to generate a self signed certificate. Although that is a lot of help, the real important part is the command you need to execute in order to have Hyper-V not check for the CRL of the certificate (revocation, etc that is provided when you use a CA).
Quick Summary:
- Create a Self Signed Certificate Authority (if that makes any sense):
makecert -pe -n “CN=PrimarySampleRootCA” -ss root -sr LocalMachine -sky signature -r “PrimarySampleRootCA.cer” - Create a Self Signed Certificate using the CA crated above:
makecert -pe -n “CN=ServerName.domain.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “PrimarySampleRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 PrimarySampleCert.cer - Do the same for the destination failover replica server (create a self signed CA and Certificate)
- Add the Self Signed CAs you created to the trusted roots of the servers that are going to connect to that host using this command:
certutil -addstore -f Root “PrimarySampleRootCA.cer” - V. Disable the certificate revocation check in PowerShell:
reg add "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f - Enjoy!
Checking
- Validate using certutil
- After the certificate is installed, run the following command from the command prompt on both the primary and replica server:
certutil –store my - At least one of the certificates in your output should resemble the following sample output such that the Encryption test (not just Signature) has passed.
0 Комментарии