We have had a number of queries on how to enable replication using certificates created from makecert. Though the Understanding and Troubleshooting guide for Hyper-V Replica discusses this aspect, I am posting a separate article on this. The below steps are applicable for a simple lab deployment consisting of two standalone servers – PrimaryServer.domain.com and ReplicaServer.domain.com. This can be easily extended to clustered deployments with the Hyper-V Replica Broker.
Makecert is a certificate creation tool which generates certificates for testing purpose. Information on makecert is available here - http://msdn.microsoft.com/en-us/library/bfsktky3.aspx.
1. Copy the makecert.exe tool to your primary server
2. Run the following command from an elevated command prompt, on the primary server. This command creates a self-signed root authority certificate. The command also installs a test certificate in the root store of the local machine and is saved as a file locally
makecert -pe -n "CN=MyTestRootCA" -ss root -sr LocalMachine -sky signature -r "MyTestRootCA.cer"
3. Run the following command couple of times, from an elevated command prompt to create new certificate(s) signed by the test root authority certificate
makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in"MyTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <MachineName>.cer
Each time:
- Replace <FQDN> with FQDN of primary and replica servers
- Replace <MachineName>.cer with any name
The command installs a test certificate in the Personal store of the local machine and is saved as a file locally. The certificate can be used for both Client and Server authentication
4. The certificates can be viewed by mmc->File->Add/Remove Snap in…->Certificates->Add->”Computer Account”->Next->Finish->Ok
You will find the Personal certificate (with the machine names) and the Root certificate (MyTestRootCA) in the highlighted folders:
5. Export the replica server certificate with the private key.
 |  |
6. Copy MyTestRootCA.cer and the above exported certificate (RecoveryServer.pfx) to the Replica server.
7. Run the following command from an elevated prompt in ReplicaServer.domain.com
certutil -addstore -f Root "MyTestRootCA.cer"8. Open the certificate mmc in ReplicaServer.domain.com and import the certificate (RecoveryServer.pfx) in the Personal store of the server. Provide the pfx file and password as input:
9. By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. To work around it, modify the following registry key on Primary, Replica Servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f