Hyper-V Replication Using Self-Signed Certificates

Windows Server 2012 comes with the new version of Hyper-V, 3.0. Among many new features, the most interesting (to me) were non-clustered live migration, as well as virtual machine replication.

Certificate Revocation Check Error

I set out to build a paid of replicating Hyper-V 3.0 hosts and wanted to use self-signed X.509 certificates to encrypt all replication traffic, as described in the Microsoft’s own manuals here. But dispite following all steps related to the issuance and installation of the self-signed certificates, Hyper-V management console was throwing certificate revocation check error when trying to save replication settings.

Of particular interest, was this line in the Technet article:

“By default, a certificate revocation check is required; however, self-signed certificates don’t support revocation checks. Disable the check by editing the registry on both the primary and Replica servers with the following command:”

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Problem is, even after applying this registry setting and rebooting the server, certificate revocation check continues to fail.

Resolution

In addition to the reg add command from the Microsoft documentation, you also need to add the following registry setting to completely disable certificate revocation checks in Hyper-V replication:

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

No reboot is necessary for these commands to become effective. As soon as both reg adds are in, self-signed certificates will be accepted in Hyper-V replication configuration.

 

Leave a Reply

Your email address will not be published. Required fields are marked *