Replicate Hyper-V between Workgroup servers

Enabling Hyper-V between two workgroup servers requires issuing self-signed certificates with makecert.exe and a registry key to bypass the revocation check.

The reason why makecert is required is because the certificate Enhanced Key Usage must support both Client and Server authentication, and the default IIS certificate CSR wizard does not include the client EKU.

Machine #1
1. Generate a root cert:
makecert -pe -n CN=PrimaryTestRootCA -ss root -sr LocalMachine -sky signature -r PrimaryTestRootCA.cer

2. Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV2 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in PrimaryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV2.cer

3. Disable the revocation checking since that won’t work on self-signed certs:
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Machine #2
1. Generate a root cert:
makecert -pe -n CN=RecoveryTestRootCA -ss root -sr LocalMachine -sky signature -r RecoveryTestRootCA.cer

2. Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV1 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in RecoveryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV1.cer
(Note: even though it outputs a .cer file, it automatically inserts into the LocalMachine certificate store, so there is no additional import step)

3. Copy the PrimaryTestRootCA.cer from Machine #1 and then run this command: certutil -addstore -f Root “PrimaryTestRootCA.cer”

4. Copy the RecoveryTestRootCA.cer from Machine 2 and then run certutil -addstore -f Root RecoveryTestRootCA.cer

5. Disable the revocation checking since that won’t work on self-signed certs:
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

6. Now you can select the self-signed certificate in replication on both servers.