Export (0) Print
Expand All

Manage vault certificates

Updated: September 19, 2014

Azure Recovery Services encompasses a set of Azure vaults that help to protect your organization from data loss and aid in continuity of operations. Vaults are used to store and protect information that is specified as part of your recovery services configuration.

  • If you are using Azure Backup, you will create backup vaults to store protected items from the servers you register for your organization.

    Previously you had to use a x.509 v3 certificate to register your server with the backup vault, but now that has changed and you use credentials generated in the Azure portal to register your server with the backup vault. If you are creating a new vault, you no longer use certificates. You must use credentials.

  • If you are using Azure Hyper-V Recovery Manager, you will create Hyper-V Recovery Manager vaults to orchestrate failover and recovery for virtual machines managed by System Center 2012 - Virtual Machine Manager (VMM). You configure and store information about registered VMM servers, protected clouds, networks, and virtual machines enabled for protection in a source location and about VMM servers, clouds, networks, and virtual machines that are used for failover and recovery in a target location. You can create recovery plans that specify the order in which virtual machines fail over, and you can customize these plans to run additional scripts or manual actions.

You can configure both backup vaults and Hyper-V Recovery Manager vaults as appropriate.

The management certificate uploaded to a Recovery Services vault requires the following:

  • You can use any valid Secure Sockets Layer (SSL) certificate that is issued by a certification authority (CA) that is trusted by Microsoft (and whose root certificates are distributed through the Microsoft Root Certificate Program). For more information, see Microsoft article 931125.

    Alternatively, you can use a self-signed certificate that you create using the Makecert.exe tool.

  • The certificate should be an x.509 v3 certificate.

  • The key length should be at least 2048 bits.

  • The certificate must have a valid ClientAuthentication EKU.

  • The certificate must be currently valid with a validity period that does not exceed three years. You must specify an expiry date; otherwise, a default setting that is valid for more than three years will be used.

  • The certificate should reside in the Personal certificate store of your Local Computer.

  • The private key should be included during installation of the certificate.

  • To upload the certificate to the portal, you must export it as a .cer format file that contains the public key.

  • Each vault has only a single .certificate associated with it at any one time. You can upload a certificate to overwrite the current certificate associated with the vault at any time.

Certificates are used to encrypt communication between servers and Recovery Services vaults, and to register servers with the vaults. Configure a certificate as follows:

  • Obtain a certificate—A management certificate (.cer) must be uploaded to the vault. For this purpose, you can do either of the following:

  • Export a certificate (.pfx)—On the server on which the certificate was created, you export the .cer file as a .pfx file (containing the private key). This .pfx file will be uploaded to VMM servers when you install the Hyper-V Recovery Manager provider on those servers, and it is used to register the servers with the vault.

  • Import the certificate (.pfx)—After export of the .pfx file is complete, you import it to the Personal certificate store on each VMM server that contains virtual machines you want to protect.

Use the following procedures to perform these actions.

If you want to use a self-signed certificate, create one as follows:

  1. Obtain the Makecert tool as described in MakeCert. Note that when you install the Windows Software Development Kit (SDK), you can limit the installation to install makecert.exe only by selecting Tools under.Net Development and leaving everything else unchecked.

  2. Open an elevated command prompt (with Administrator privileges), and navigate to the location where makecert.exe is stored. Then, type:

    makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku -len 2048 -e 01/01/2016 CertificateName.cer

    The certificate will be created and stored in the same location.

  3. In the vault, click Manage Certificate to upload the .cer file that contains the public key.

On the server on which you ran makecert.exe, complete the steps in this procedure to export the .cer file in .pfx format.

  1. From the Start screen, type mmc.exe to start the Microsoft Management Console (MMC).

  2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

  3. In Available snap-ins, click Certificates, and then click Add.

  4. Select Computer account, and then click Next.

  5. Select Local computer, and then click Finish.

  6. In the MMC, in the console tree, expand Certificates, and then expand Personal.

  7. In the details pane, click the certificate you want to manage.

  8. On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.

  9. On the Export Private Key page, click Yes, export the private key. Click Next. Note that this is required only if you want to export the private key to other servers after the installation.

  10. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.

  11. On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.

  12. Follow the pages of the wizard to export the certificate in .pfx format.

After you export the certificate, copy it to the server you want to register, and then import it as follows. Note that you do not need to import the certificate on the server that was used to run MakeCert.exe.

  1. Copy the private-key (.pfx) certificate files to a location on the local server.

  2. From the Start screen, type mmc.exe, and then press ENTER to open the MMC.

  3. In the MMC, on the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-ins dialog box, select Certificates, and then click Add.

  5. The Certificate snap-in dialog box will open. Select Computer account, and then click Next.

  6. Select Local Computer, and then click Finish.

  7. You are returned to the Add/Remove Snap-ins dialog box. Click OK.

  8. In the MMC, expand Certificates, right-click Personal, point to All Tasks, and then click Import to start the Certificate Import Wizard.

  9. On the Certificate Import Wizard Welcome page, click Next.

  10. On the File to Import page, click Browse, and then locate the folder that contains the .pfx certificate file that contains the certificate that you want to import. Select the appropriate file, and then click Open.

  11. On the Password page, in the Password box, type the password for the private-key file that you specified in the previous procedure, and then click Next.

  12. On the Certificate Store page, select Place all certificates in the following store, click Browse, select the Personal store, click OK, and then click Next.

  13. On the Completing the Certificate Import Wizard page, click Finish.

After the import, you will be able to select the certificate when you run the Register Server Wizard.

© 2014 Microsoft