Live migration of Hyper-V VMs with a vTPM - Certificate PS commands

Question

I am trying to encrypt a host in a 2-node cluster. I was able to enable vTPM, and get the encryption done. However - I cannot live migrate the host anymore. I see that I need to export/import certificates between my two nodes. However, I'm running server core and can't seem to find Powershell commands on how to:

1. Export the two certificates from the "Shielded VM Local Certificates" from the originating node
2. Import the two certificates to the second node in my cluster.

I have been referring to the following publication for my reference.
https://www.hyper-v-server.de/news/live-migration-of-hyper-v-vms-with-a-vtpm-chip-hyperv-tpm/

Does anyone know the powershell commands to accomplish this task?

Answer 1

Hi there I just setup a shielded VM on my Windows 11 business edition and this is how I export and import the certificates using PowerShell:

# export Host Guardian service certificates with private keys and all the extended properties

$password = ConvertTo-SecureString -String "Pa$$WorD" -Force -AsPlainText

Get-ChildItem -Path "cert:\LocalMachine\Shielded VM Local Certificates\" | Export-PfxCertificate -FilePath "C:\Users\Admin\OneDrive\Desktop\HostGuardianServiceCerts.pfx" -Password $password -CryptoAlgorithmOption AES256_SHA256


# Import the certificate with private keys NOT exportable

Import-PfxCertificate -FilePath "C:\Users\Admin\OneDrive\Desktop\HostGuardianServiceCerts.pfx" -CertStoreLocation 'Cert:\LocalMachine\Shielded VM Local Certificates' -Password $password

Here is more info about the commands:

Import-PfxCertificate

Export-PfxCertificate

I think it's best if you first export the certificates with private keys and keep them in a safe place, then delete them from certificate store, import the certificates, without private keys, to both nodes of the cluster running Hyper-V.

Answer 2

As an Addition I have made an Powershell Script to copy the Certificate Files to all other Servers of the Cluster. So you can prevent a Migration Error, even when you create a VM with a vTPM Chip on another Host.

Requirements:

Enable the TPM Chip on every Hyper-V Server for one VM (you can instantly remove it afterwards)

# Server Anpassen
######################################################### 
$Servers = @(
     "Server1.contoso.com"
     "Server2.contoso.com"
     "Server3.contoso.com"
     "Server4.contoso.com"
 )  
# Script Variables 
######################################################### $password = ConvertTo-SecureString -String "Pa$$Word" -Force -AsPlainText 
$Certificates = @() 
$CertificatesName = @() 
$CertificatesUNC = @()   
# Export Certificate File 
######################################################### 
ForEach ($Server in $Servers){
      $CertificateFile = "C:\Service\HostGuard-" + $Server + ".pfx"
     $Certificates += $CertificateFile     $CertificatesName += "HostGuard-" + $Server + ".pfx"
     $CertificatesUNC += "\\" + $Server + "\C$\Service\HostGuard-" + $Server + ".pfx"
     Invoke-Command -ComputerName $Server -ScriptBlock {
         Get-ChildItem -Path "cert:\LocalMachine\Shielded VM Local Certificates\" | Export-PfxCertificate -FilePath "$Using:CertificateFile" -Password $Using:password -CryptoAlgorithmOption AES256_SHA256
         }
 }   
# Import and delte Certificate File ######################################################### 
ForEach ($count in 0..$Certificates.Count -1){
     ForEach ($Server in $Servers){
          $Destination = "\\" + $Server + "\C$\Service\" + $CertificatesName[$count]
         Copy-Item -Path $CertificatesUNC[$count] -Destination $Destination
         $CertToImport = $Certificates[$count]
         Invoke-Command -ComputerName $Server -ScriptBlock {
             Import-PfxCertificate -FilePath "$Using:CertToImport" -CertStoreLocation 'Cert:\LocalMachine\Shielded VM Local Certificates' -Password $Using:password -Exportable
             Remove-Item $Using:CertToImport
         }
     }
 }