Step-by-Step - Using a Self-Signed (Private) Certificate (makecert.exe) with Windows Azure Backup Vault and Windows Server 2012 R2

Article
07/24/2013

This is a “step-by-step” lab guide to implementing Windows Azure Recovery Services/Backup Vault with Windows Server 2012 R2 using a self-signed (private) certificate you make with makecert.exe.

Windows Azure Recovery Services can help you protect important server data offsite with automated backups to Windows Azure Backup Vaults, where they are available, for easy data restoration. Available in eight regions worldwide, Windows Azure Recovery Services provides secure and reliable storage, built with durability in mind, and geo-replication provides redundancy of your data across regions to ensure access to your data in the event of a local disaster. You know that here in Florida we get our fair share of storms so off-premise backups are always considered and most do this as a best practice.

This lab will walk you through the creation of the vault you will use to store backups, creating a self-signed (private) certificate with makecert.exe, uploading the certificate to Windows Azure, installation of the Windows Azure Backup Agent, and an overview of the backup management tasks available through the management portal and the agent.

To successfully complete this lab you must have an X.509 v3 certificate to register your server(s) with Windows Azure Backup Vaults as well as a Windows Azure account. If you do not have a Windows Azure account, sign up here: https://aka.ms/try-azure

Prerequisites:

A Microsoft LiveID - Sign up here
Windows Azure account (Trial, Pay-As-You-Go, or Purchased Plan) https://aka.ms/try-azure
Windows Azure Backup Preview Feature enabled and must be signed up for separately
Enable it here: https://www.windowsazure.com/en-us/services/preview/
Windows 8 Software Development Kit (SDK) Download here: https://msdn.microsoft.com/en-us/library/windows/desktop/hh852363.aspx
Self-Signed Certificate generated by makecert.exe later in this lab guide

Lab Guide:

Windows Azure Account

**Note: You will need a credit card to sign up for the trial account.

What you get with your Windows Azure 30-Day Trial:

$200 USD of Windows Azure services. Build what you want, scale as you need, and full access with no strings attached.

· Create and run Virtual Machines
· Develop a modern app using Cloud Services
· Build and deploy Web Sites
· Spin up Mobile back-ends for Android, iOS or Windows Phone 8
· Store, backup and recover data
· Encode and share video

And much, much more...

Windows Azure Backup Preview Feature

After you sign up for your Windows Azure account, you must also sign up for Windows Azure Backup, which is currently in Preview. What does Preview mean? Features or services in Windows Azure that are in Preview status are beta versions and are not meant for production use and are not covered by any type of Service Level Agreement (SLA) pertaining to Windows Azure. For more information, click here.

Sign into your new Windows Azure account. Scroll through the list of services offered with your Trial account on the left navigation sidebar. You will notice that you do not see an icon for Recovery Services. Windows Azure Backup is categorized under this service tab. You will need to add it to your Trial account.

Open a new tab on your browser and navigate to the following URL:

https://www.windowsazure.com/en-us/services/preview/

Scroll down to Backup and click on the “try it now” button.

After you add the Backup Preview to your account, switch back to your Portal browser tab and refresh it. You should now see the Recovery Services icon in the left navigation sidebar, like the screenshot above. If you do not see it, you may need to log out and log back in to your account.

Windows 8 SDK

makecert.exe is not part of the installation of Windows Server 2012 and R2. You will need to download the Windows 8 Software Development Kit (SDK) to obtain the makecert.exe utility. The makecert.exe command is part of the core installation of the SDK, so you will not need to download and install the entire SDK.

Use the following URL to download the Windows 8 SDK:

https://msdn.microsoft.com/en-us/library/windows/desktop/hh852363.aspx

Click on the Download button.

Click Run on the pop-up download bar.

3. Select Install Windows Software Development Kit to this computer. Use the default path. Click Next.

4. Select your preference for CEIP. Click Next.

5. Click Accept to continue.

6. Select only Windows Software Development Kit, unless you wish to install the entire SDK. Click Next.

7. Installation in progress…

8. Installation complete. Click Close.

9. Verify that makecert.exe has been installed. makecert.exe will be located in this directory: C:Program Files (x86)Windows Kits8.0binx64

Create a Self-Signed (Private) Certificate

Now that the makecert.exe utility is installed on your server, we can create a self-signed certificate to upload to Windows Azure.

1. Right-click on Command Prompt and select Run as administrator

2. Change to the directory for makecert.exe.

cd C:Program Files (x86)Windows Kits8.0binx64

3. Run the makecert.exe command with the following syntax to create your elf-signed certificate. Replace “CertificateName” with your values. To make it simple, let’s use “AzureBackup” for the purpose of this lab guide.

Command Syntax Example:

makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku 1.3.6.1.5.5.7.3.2 -len 2048 -e 01/01/2016 CertificateName.cer

Command Syntax to Execute:

makecert.exe -r -pe -n CN=AzureBackup -ss my -sr localmachine -eku 1.3.6.1.5.5.7.3.2 -len 2048 -e 01/01/2016 AzureBackup.cer

You may Copy and Paste the above command into the Command Prompt window.

4. You now have successfully created a self-signed certificate, meeting the requirements defined by Windows Azure, and it is currently saved in the current directory where makecert.exe is located. Let’s move it to a more easily accessible location.

Use Windows Explorer to copy and paste the AzureBackup.cer file to your choice of locations. For the purpose of this guide, it will be copied to the Desktop.

You are now ready to create your Windows Azure Backup vault and upload the newly created certificate.

Create a Windows Azure Backup Vault

To get started, select Recovery Services from the left navigation sidebar in the Windows Azure portal.

1. Click Create A New Vault.

clip_image038

2. Enter a name for your Backup Vault and select the closest Region to your location. Click Create Vault to continue.

For the purpose of this lab guide, TestBackup and West US was used.

3. Successful Vault creation and it is Active.

4. Click on the Vault name to view the Quick Start screen.

Click on either of the Manage Certificate choices:

Under Upload your public certificate to the backup vault

In the bottom taskbar

5. Browse to your certificate location, select the certificate file, and click the Circled Checkmark to continue.

You will get this type of notification for a successful upload.

Register Your Server with the Windows Azure Backup Vault

Now that you have created a Windows Azure Backup Vault and uploaded your certificate, it is time to register your server with the Backup Vault. But first, you need to download the Windows Azure Backup Agent.

In the Windows Azure portal, you should still be on the Quick Start screen for your Backup Vault after you uploaded your certificate. If not, navigate back.

1. Click on Download Agent.

2. Click on Download for your appropriate version of Windows Server.

3. Click Run to install the Windows Azure Backup Agent.

After you have installed the Agent, click the Circled Checkmark from the screenshot in Step 2 to close the pop-out window. The Agent installation program will create a Desktop icon and Start Screen tile.

4. Launch the Windows Azure Backup Agent.

5. In the Actions pane on the right, click Register Server. The Register Server Wizard will launch.

6. Proxy Configuration. Set your appropriate settings if necessary. Click Next.

7. Vault Identification. Click Browse and select the certificate that was just uploaded.

Select your certificate and click OK.

8. After you select the certificate, select your Backup Vault from the drop-down menu.

Click Next.

9. Encryption Settings. Enter your own paraphrase or click Generate Paraphrase. Select the location to store the paraphrase txt file. For the purpose of this lab guide, a generated paraphrase was used and stored in the Documents folder. For security best practices, this is not recommended.

Click Register.

10. After the server has been successfully register, click Close.

Your server has now been successfully registered with your Windows Azure Backup Vault. Let’s configure the Windows Azure Backup Agent to test the back up.

Configure Windows Azure Backup Agent

After your server has been successfully registered, you have to configure the Windows Azure Backup Agent to be able to test the backup function and complete the lab.