Mark Berry June 18, 2011
It may be a bit sensationalistic to call it a time bomb, but apparently Hyper-V will only run for a year before the self-signed certificate that allows remote access to the machines expires. Supposedly it will auto-renew (unless you’re on Server 2008 and need this hotfix), but according to MSKB 2413735, you may still be left with an inoperable mouse and need to save/resume your VMs.
How do you know you’re approaching expiration? You’ll see this warning in your Hyper-V-VMMS event log:
Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin
Event ID: 12510
Task Category: None
Description: The certificate used for server authentication will expire within 30 days. Remote access to virtual machines will not be possible after the certificate expires. Please renew or recreate the certificate.
To check the certificate, you’ll need to create a new certificate viewer for the Hyper-V Virtual Machine Management service. (For instructions, in this TechNet article, see step 2 under “Deploying a certificate issued by a CA.”) You’ll see that the machine’s certificate will expire soon:
A copy of the certificate is also found in the vmms\Trusted Root Certification Authorities store.
Update May 28, 2016 I’m now running Server 2012 R2 as a Hyper-V server. It looks like the default certificate is good for 100 years, so this problem should no longer occur:
Microsoft Support recommended following the instructions in 2413735 to create a self-signed certificate that is good until 2050. For that you need:
- This PowerShell script: Hyper-V_Cert.zip. This is a slightly modified version of the script posted on TechNet here. The TechNet version improperly appends “WORKGROUP” to the certificate’s Subject Name if your server is not domain-joined, which prevents Hyper-V from using the certificate. See this article for more info on creating and updating Hyper-V certificates. As always, use downloaded scripts at your own risk!
- MakeCert.exe from the Windows SDK. Use the web installer (be sure you’re on a 64-bit machine) and select only the Tools. The total download is about 80MB:
Running the Script
Put the script and makecert.exe in the same folder on your Hyper-V server and run the cert.ps1 PowerShell script.
Note The script will save and and restore all running VMs!
I assume that saving and restoring VMs will disrupt clients that are relying on a constant server connection, so do this when no one is around.
If you see “WORKGROUP” when you start the script, you’re using the version from TechNet. When the script completes, you’ll need to delete the certificate from the certificate store and use the version above.
You should instead see something like this if your server is not in a domain:
When the script completes, you should see the new certificate in the vmms\Trusted Root Certification Authorities store:
No copy is created in the vmms\Personal store.
If you stop and start the Virtual Machine Management service, you should no longer see the event log warning about the pending certificate expiration.
Update October 22, 2013
I started getting the 12510 message again and wondered why. It’s only been a year! Oh yeah: I renamed my Hyper-V server about a year ago. It automatically created a new 1-year certificate. To get a new certificate good until 2050, I found that I had to first delete the certificate with the old server name and then re-run the script as described above.