Creating new (self-signed?) certificate for SCVMM

Question

I have a Server 2012R2 machine that hosts System Center. During SCVMM installation, it created itself a self-signed certificate for use with SCVMM connections. Unfortunately, it created one with a SHA-1 hash, which trips our vulnerability scanners and needs fixed.

I know there's a way to use the MMC's Certificate Manager console to generate a certificate request, but I have only done this to submit the request to a higher organization for cert generation and distribution. While I'm sure I can find a way to create a fully self-signed cert manually, I did have a few questions that are a little more SCVMM specific.

1. Does SCVMM really need a self-signed certificate? The Machine has a Client/Server Authentication certificate, as required by a higher organization, already installed (and it's SHA-256). Can I use this instead, or does the "Friendly name" have to include "SCVMM_CERTIFICATE_KEY_CONTAINER(serverFQDN)?

2. Once the SHA-1 cert is replaced (either with a new SHA-256 self-signed or the existing SHA-256 cert), does SCVMM need configuration in some way? I do not normally manage this application directly, but the individual who does did not seem to be able to find a console where you dictate what cert it is supposed to use, and neither did I.

Answer 1

Does SCVMM really need a self-signed certificate?

no, it doesn't. Actually, using self-signed certificates in SCVMM scneario is not a good practice. It is just something to start with. It is unlikely that you can reuse existing client/server authentication certificate for SCVMM, because it requires a special extensions inside:

1.3.6.1.4.1.311.62.1.1.1 = AgEE
Key Usage = Key Encipherment, Data Encipherment (30)

I don't know the specifics of its syntax, just know that it is required. Normal TLS certificates doesn't have it. So, you may need to generate the CSR with correct fields and ask parent organization to sign it.

but the individual who does did not seem to be able to find a console where you dictate what cert it is supposed to use, and neither did I.

I don't know about the GUI console (never worked with it), but I do know that you can specify SCVMM certificate in registry:

Key = HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization
Value1 = DisableSelfSignedCertificateGeneration
Type1 = REG_QWORD
Data1 = 1

Value2 = AuthCertificateHash
Type2 = REG_SZ
Data2 = [CertThumbprint]

You create/update two values:

• DisableSelfSignedCertificateGeneration -- disables self-signed certificate generation
• AuthCertificateHash -- you specify normal cert's thumbprint value (all uppercase without spaces, e.g. 1234ABCDEF<...>).

In addition, you need to grant permissions for VMM service account to private key:

icacls "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys\{KeyContainer}" /grant "*S-1-5-83-0:(R)"

First, you finish the certificate enrollment process with parent org and get certificate installed in Local Machine\Personal folder. Then run

certutil -store my "Cert Serial Number"

and specify your cert's serial number. The command will return some information about the certificate and if correctly installed, there will be Key Container line, e.g.

<...>
Cert Hash(sha1): 21 1b 8d 5f d2 fa 68 a4 cd 27 56 2f c2 b0 b6 1e 7f 54 b2 7e
  Key Container = 7e715043f56d6d367794d85b6f0fc494_9e3784ff-fd0b-4d70-a002-a1e4fc2f0cc8

replace {KeyContainer} placeholder in icacls command with actual key container value.

Reference: https://docs.microsoft.com/en-us/archive/blogs/hugofe/configuring-a-certificate-for-virtual-machine-connection-in-hyper-v-or-thru-scvmm