How to: Manage vault certificates in Windows Azure Backup
Windows Azure Recovery Services encompasses a set of Windows Azure vaults that help to protect your organization from data loss, and aid in continuity of operations. Vaults are used to store and protect information that is specified as part of your recovery services configuration.
- If you are using Windows Azure Backup you will create backup vaults to store protected items from the servers you register for your organization.
- If you are using Windows Azure Hyper-V Recovery Manager you will create Hyper-V Recovery Manager vaults to orchestrate failover and recovery for virtual machines managed by System Center 2012 — Virtual Machine Manager (VMM). You configure and store information about registered VMM servers, protected clouds, networks, and virtual machines enabled for protection in a source location; and about VMM servers, clouds, networks, and virtual machines that are used for failover and recovery in a target location. You can create recovery plans that specify the order in which virtual machines fail over, and customize these plans to run additional scripts or manual actions.
You can configure both backup vaults and Hyper-V Recovery Manager vaults as appropriate.
The management certificate uploaded to a Recovery Services vault requires the following:
- You can use any valid SSL certificate that is issued by a Certification Authority (CA) that is trusted by Microsoft (and whose root certificates are distributed via the Microsoft Root Certificate Program). For more information, see Microsoft article 931125.Alternatively you can use a self-signed certificate that you create using the Makecert.exe tool.
- The certificate should be an x.509 v3 certificate.
- The key length should be at least 2048 bits
- The certificate must have a valid ClientAuthentication EKU.
- The certificate must be currently validity with a validity period that does not exceed three years. You must specify an expiry date, otherwise a default setting that is valid for more than three years will be used.
- The certificate should reside in the Personal certificate store of your Local Computer.
- The private key should be included during installation of the certificate.
- To upload to the certificate to the portal, you must export it as a .cer format file that contains the public key.
- Each vault only has a single .certificate associated with it at any one time. You can upload a certificate to overwrite the current certificate associated with the vault at any time.
Certificates are used to encrypt communication between servers and Recovery Services vaults, and to register servers with the vaults. Configuring a certificate as follows:
- Obtain a certificate—A management certificate (.cer) must be uploaded to the vault. For this purpose, you can do either of the following:
- Obtain a self-signed certificate using the Makecert tool.
- Use any valid SSL certificate issued by a CA trusted by Microsoft, whose root certificates are distributed via the Microsoft Root Certificate Program. For more information about this program, see Microsoft article Windows Root Certificate Programmembers.
- Export a certificate (.pfx)—On the server on which the certificate was created, you export the .cer file as a .pfx file (containing the private key). This .pfx file will be uploaded to VMM servers when you install the Hyper-V Recovery Manager provider on those servers, and is used to register the servers with the vault.
- Import the certificate (.pfx)—After export of the .pfx file is complete, you import it to the Personal certificate store on each VMM server that contains virtual machines you want to protect.
Use the following procedures to perform these actions.
If you want to use a self-signed certificate, create one as follows:
- Obtain the Makecert tool as described in MakeCert. Note that when installing the Windows SDK, you can limit the installation to install makecert.exe only by selecting the option Tools under .Net Development and leaving everything else unchecked.
- Open an elevated command prompt (with Administrator privileges) and navigate to the location where makecert.exe is stored. Then type:makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku 220.127.116.11.18.104.22.168.2 -len 2048 -e 01/01/2016 CertificateName.cerThe certificate will be created and stored in the same location.
- In the vault, click Manage Certificate to upload the .cer file that contains the public key.
On the server on which you ran makecert.exe, complete the steps in this procedure to export the .cer file in .pfx format.
- From the Start screen type mmc.exe to start the Microsoft Management Console.
- On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
- In Available snap-ins, click Certificates, and then click Add.
- Select Computer account, and then click Next.
- Select Local computer, and then click Finish.
- In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.
- In the details pane, click the certificate you want to manage.
- On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
- On the Export Private Key page, click Yes, export the private key. Click Next. Note that this is only required if you want to export the private key to other servers after the installation.
- On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.
- On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.
- Follow the pages of the wizard to export the certificate in .pfx format.
After exporting the server, copy it to the server you want to register, and then import it as follows. Note that you do not need to import the certificate on the server that was used to run MakeCert.exe.
- Copy the private-key (.pfx) certificate files to a location on the local server.
- From the Start screen, type mmc.exe, and then press Enter to open the Microsoft Management Console.
- In Microsoft Management Console, on the File menu, click Add/Remove Snap-in.
- In the Add/Remove Snap-in dialog box, select Certificates and then click Add.
- The Certificate snap-in dialog will open, select Computer account and click Next.
- Select Local Computer and click Finish.
- You are returned to the Add/Remove Snap-in dialog box, click OK.
- In the Microsoft Management Console, expand Certificates, right-click Personal, point to All Tasks, and then click Import to start the Certificate Import Wizard.
- On the Certificate Import Wizard Welcome page, click Next.
- On the File to Import page, click Browse and locate the folder that contains the .pfx certificate file that contains the certificate that you want to import. Select the appropriate file, and then click Open
- On the Password page, in the Password box, type the password for the private-key file that you specified in the previous procedure and then click Next.
- On the Certificate Store page, select Place all certificates in the following store, click Browse, select the Personal store, click OK, and then click Next.
- On the Completing the Certificate Import Wizard page, click Finish.
After the import, you will be able to select the certificate when you run the Register Server Wizard as part of the Hyper-V Recovery Manager provider Setup.