Share via

Hyper-V Replication Certs. expired, cannot reproduce a usable set.

Nathan Larscheid 0 Reputation points
2025-12-08T20:56:47.67+00:00

Hyper-V Replication standalone instances fail. existing RootCA expired. creating new RootCA, then self sign intermediates installed with RootCA on both. to no avail. cert not recognized.

looking for "correct" steps to issue Root CA and subsequent self signed which Hyper-V Replication will recognize.

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-08T20:57:02.9166667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To issue a new Root CA and subsequent self-signed certificates that Hyper-V Replication will recognize, follow these general steps:

    1. Create a New Root CA:
      • Use the Certificate Authority (CA) role on a Windows Server to create a new Root CA. Ensure that the CA is configured correctly and that it is trusted by all machines that will use the certificates.
    2. Configure the Root CA:
      • Set the validity period for the Root CA certificate according to your organization's policy. Ensure that it is not set to expire too soon.
    3. Create Self-Signed Certificates:
      • After creating the Root CA, generate self-signed certificates for each Hyper-V host that will participate in replication. Ensure that these certificates meet the following criteria:
        • They should have both Client and Server Authentication Enhanced Key Usage (EKU) attributes.
        • The subject common name (CN) or subject alternative name (SAN) must match the fully qualified domain name (FQDN) of the Hyper-V Replica Broker role.
    4. Install Certificates:
      • Install the Root CA certificate on all Hyper-V hosts and ensure that the self-signed certificates are also installed properly. This includes adding them to the Trusted Root Certification Authorities store.
    5. Validate the Certificates:
      • Check that the certificates are recognized by the Hyper-V hosts. You can do this by using the MMC snap-in for Certificates to verify that the certificates are present and trusted.
    6. Test Hyper-V Replication:
      • After installing the certificates, test the Hyper-V replication to ensure that it is functioning correctly. If there are issues, check the event logs for any errors related to certificate validation or replication failures.

    If you continue to face issues, ensure that the certificates are not expired and that there are no network or authentication problems affecting the replication process.

    References:

  2. Domic Vo 11,625 Reputation points Independent Advisor
    2025-12-08T21:30:44.59+00:00

    **Hello **Nathan Larscheid,

    I can see why this is giving you headaches that Hyper‑V replication is very particular about certificates, and once the Root CA expires, simply dropping in a new self‑signed chain doesn’t always work. The replication handshake relies on certificates that meet strict requirements, and if any part of the chain isn’t trusted or doesn’t match what Hyper‑V expects, the connection fails.

    Here’s the way to approach it cleanly:

    1. Start fresh with a new Root CA — but don’t just create a self‑signed cert and install it. You need to build a proper certificate chain that Windows trusts. That means creating a new Root CA certificate, installing it into the Trusted Root Certification Authorities store on both servers, and ensuring it has the correct key usage (Certificate Signing, CRL Signing).
    2. Issue server certificates from that Root CA — Hyper‑V replication requires certificates that are valid for Server Authentication. So from your new Root CA, generate individual certificates for each Hyper‑V host. These must include:
      • Subject name or SAN that matches the FQDN of the host.
      • Enhanced Key Usage: Server Authentication.
      • Private key exportable if you’re moving it between systems.
    3. Install the server certificates into the Local Computer → Personal store on each Hyper‑V host. The Root CA must also be present in Trusted Root.
    4. Bind the certificate to Hyper‑V replication: In Hyper‑V Manager, configure replication settings and select the certificate you issued. If the certificate chain is valid and trusted, it will appear in the list.
    5. Check CRL/AIA distribution points: Even for internal CAs, Hyper‑V will validate revocation. If your Root CA or issued certs have unreachable CRL/AIA URLs, replication can fail. Either publish a reachable CRL or issue certs without CRL distribution points if appropriate for your environment.

    I would say Hyper‑V won’t accept a generic self‑signed cert. You need a trusted Root CA installed on both hosts, then issue proper server authentication certificates for each host, install them in the right store, and bind them in Hyper‑V replication settings.

    I hope this helps,

    If this guidance proves helpful, please kindly click “Accept Answer” so we know we’re heading in the right direction 😊. And of course, I’m here if you need further clarification or support.

    Domic Vo.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.