Hyper-V Certificate Will Expire within 30 Days

Mark Berry June 18, 2011

It may be a bit sensationalistic to call it a time bomb, but apparently Hyper-V will only run for a year before the self-signed certificate that allows remote access to the machines expires. Supposedly it will auto-renew (unless you’re on Server 2008 and need this hotfix), but according to MSKB 2413735, you may still be left with an inoperable mouse and need to save/resume your VMs.

Symptoms

How do you know you’re approaching expiration? You’ll see this warning in your Hyper-V-VMMS event log:

Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin
Source:        Microsoft-Windows-Hyper-V-VMMS
Event ID:      12510
Task Category: None
Level:         Warning
User:          SYSTEM
Description:  The certificate used for server authentication will expire within 30 days. Remote access to virtual machines will not be possible after the certificate expires. Please renew or recreate the certificate.

To check the certificate, you’ll need to create a new certificate viewer for the Hyper-V Virtual Machine Management service. (For instructions, in this TechNet article, see step 2 under “Deploying a certificate issued by a CA.”) You’ll see that the machine’s certificate will expire soon:

Hyper-V Cert 1

A copy of the certificate is also found in the vmms\Trusted Root Certification Authorities store.

Update May 28, 2016 I’m now running Server 2012 R2 as a Hyper-V server. It looks like the default certificate is good for 100 years, so this problem should no longer occur:

Hyper-V Cert 7

Solution

Microsoft Support recommended following the instructions in 2413735 to create a self-signed certificate that is good until 2050. For that you need:

  • This PowerShell script: Hyper-V_Cert.zip. This is a slightly modified version of the script posted on TechNet here. The TechNet version improperly appends “WORKGROUP” to the certificate’s Subject Name if your server is not domain-joined, which prevents Hyper-V from using the certificate. See this article for more info on creating and updating Hyper-V certificates. As always, use downloaded scripts at your own risk!
  • MakeCert.exe from the Windows SDK. Use the web installer (be sure you’re on a 64-bit machine) and select only the Tools. The total download is about 80MB:

Hyper-V Cert 3

Running the Script

Put the script and makecert.exe in the same folder on your Hyper-V server and run the cert.ps1 PowerShell script.

Note The script will save and and restore all running VMs!

I assume that saving and restoring VMs will disrupt clients that are relying on a constant server connection, so do this when no one is around.

If you see “WORKGROUP” when you start the script, you’re using the version from TechNet. When the script completes, you’ll need to delete the certificate from the certificate store and use the version above.

Hyper-V Cert 4

You should instead see something like this if your server is not in a domain:

Hyper-V Cert 5

When the script completes, you should see the new certificate in the vmms\Trusted Root Certification Authorities store:

Hyper-V Cert 6

No copy is created in the vmms\Personal store.

If you stop and start the Virtual Machine Management service, you should no longer see the event log warning about the pending certificate expiration.

Update October 22, 2013

I started getting the 12510 message again and wondered why. It’s only been a year! Oh yeah:  I renamed my Hyper-V server about a year ago. It automatically created a new 1-year certificate. To get a new certificate good until 2050, I found that I had to first delete the certificate with the old server name and then re-run the script as described above.



9 Comments

  1. Doug de la Torre   |  September 05, 2013 at 12:29 pm

    Thanks for this excellent article and script. This was exactly what I needed to resolve the issue. My certificate was expiring tomorrow, and luckily I stumbled over the warning on the event log before it was too late. Your article enabled me to quickly fix the problem today before the certificate expired. Much appreciated!

  2. Don Clayton   |  December 30, 2013 at 4:23 pm

    I also stumbled across this issue with about 3 days to spare. The steps are tricky but worth it. As a part time administrator, I’m happy to not have to worry about this anytime soon. Much appreciated.

  3. Mark Berry   |  April 09, 2014 at 10:42 am

    Thanks John. That does look simpler, if it works: delete the old cert and let the machine auto-create a new one. However it’s only good for 1 year. The approach in this post is about generating and installing a certificate that is good through 2050.

  4. Alan Butler   |  March 13, 2015 at 3:10 am

    Excellent and informative article in easy to follow steps! Thanks for your help, potential issue diverted!

  5. Mike Dimmick   |  March 31, 2015 at 2:48 am

    Small correction, the KB article number is 2413735.

    A user reported seeing the error message “This user account cannot access the virtual machine’s video.” This user was an administrator on our VM server (through membership of a ‘VM Users’ domain group), so should have had full access to everything. I experienced the same issue. I noticed that the certificate had recently been regenerated, so saved and resumed the VM. That seems to have resolved the problem.

  6. Mark Berry   |  March 31, 2015 at 9:22 am

    Thanks Mike. Makes sense since the script includes a save/restore to activate the new certificate.

    I’ve corrected the KB number.

  7. Marvin Miller   |  February 09, 2016 at 11:14 pm

    Impressive – I did the steps and it was like clockwork. I’m now good to 2050.

    I could find very little information on this issue – many thanks for putting it up.

    This begs the question, by 2050 I will have forgotten how to address the issue so please keep the site up ! :)

    Many thanks for showing me how to case this issue!

Leave a Reply





*