• Create a failover cluster
• Configure live migration

8. Deploy cluster certificates

As previously explained, the certificates generated for the name of each Replica Broker will need to be imported into the personal store of each Hyper-V server of the cluster.

8.1. Export certificates in pfx format

To get started, go to the server you used to generate these certificates and go to the personal certificate store.
Begin by exporting the certificate for the 1st Hyper-V cluster.

Choose : Yes, export the private key.

Note : if this box is grayed out, you forgot to allow the export of the private key when creating the certificate template used.

As we chose to export the private key in addition to the certificate, the destination format will be : PKCS #12 (.PFX).
Note : uncheck the "Include all certificates in the certification path if possible" box to export only this certificate and not this one + the certificate of the root CA.

Provide a password to protect the private key of the certificate.

Click Browse.

Because you will need to import it to each node in the cluster, we recommend that you export it to a network share that is accessible by the nodes of your cluster.

Click Next.

Click Finish.

The message "The export was succesful" is displayed.

Export the second certificate in the same way.
Note that we exported the 2 certificates separately, otherwise the 2 certificates would have been stored in the same file.
Which means that the 2 certificates would then have been imported on all your nodes. Which is useless.

Also export certificate in the same network share.

Now, we have our 2 certificates in pfx format.

8.2. Importing certificates on the nodes of your Hyper-V clusters

All you have to do is import the 1st certificate to the nodes of your 1st Hyper-V cluster.

And the 2nd certificate on the nodes of your 2nd Hyper-V cluster.

8.3. Configuring secure replication between clusters (over HTTPS)

Now that we have all the necessary certificates on the different nodes of our clusters, we can enable Hyper-V replication in HTTPS.
To do this, on your 1st Hyper-V cluster, return to the replication settings of the Hyper-V Replica Broker.

Select "Use certificate-based authentication (HTTPS)" instead of "Use Kerberos (HTTP)".
Then, click on the "Select certificate" button.

Select the certificate with the name of the Hyper-V Replica Broker for your cluster.

The information of the selected certificate is displayed.

Remember to configure again the firewall to allow the HTTPS port instead of the HTTP port.

Enable the Hyper-V Replica HTTPS Listener (TCP-In) rule for incoming traffic on your Hyper-V servers.

Do the same for the Hyper-V Replica Broker of the Hyper-V backup cluster.

Select the HTTPS version instead of the HTTP version and click : Select certificate.

Select the certificate with the name of the Hyper-V Replica Broker of the backup cluster.

And also enable the Hyper-V Replica HTTPS Listener (TCP-In) rule for incoming traffic on Hyper-V servers of this backup cluster.