Enabling Hyper-V between two workgroup servers requires issuing self-signed certificates with makecert.exe and a registry key to bypass the revocation check.

The reason why makecert is required is because the certificate Enhanced Key Usage must support both Client and Server authentication, and the default IIS certificate CSR wizard does not include the client EKU.

Machine #1

1. Generate a root cert:
makecert -pe -n CN=PrimaryTestRootCA -ss root -sr LocalMachine -sky signature -r PrimaryTestRootCA.cer

2. Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV2 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in PrimaryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV2.cer

3. Disable the revocation checking since that won’t work on self-signed certs:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Machine #2

1. Generate a root cert:
makecert -pe -n CN=RecoveryTestRootCA -ss root -sr LocalMachine -sky signature -r RecoveryTestRootCA.cer

2. Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV1 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in RecoveryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV1.cer
(Note: even though it outputs a .cer file, it automatically inserts into the LocalMachine certificate store, so there is no additional import step)

3. Copy the PrimaryTestRootCA.cer from Machine #1 and then run this command:  certutil -addstore -f  Root “PrimaryTestRootCA.cer”

4. Copy the RecoveryTestRootCA.cer from Machine 2 and then run certutil -addstore -f  Root RecoveryTestRootCA.cer

5. Disable the revocation checking since that won’t work on self-signed certs:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

6. Now you can select the self-signed certificate in replication on both servers.

Important: if you have windows firewall enabled, create an allow rule for TCP 443 on both servers:

netsh advfirewall firewall add rule name=”Https Replica in” dir=in protocol=TCP localport=443 action=allow

Credits to these two blogs for helping me figure this out:

http://jsmcomputers.biz/wp/?p=360  (<- The only problem with his blog is the quotes “” do not work in his command-line syntax, those need to be removed otherwise you get an error “CryptCertStrToNameW failed => 0x80092023 (-2146885597)”

http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx