Understanding Replication Certificates

Applies to: VisualSVN Server 3.7 and later

Replication Certificate is a conventional SSL/TLS certificate that conforms to the requirements listed below. You have to configure Replication Certificates on both master and slave servers in order to use certificate-based authentication for replication.

An appropriate Replication Certificate:

  1. Should be installed in the Local Machine certificate store and have an associated private key.
    Tip
    The Replication Certificate Selection dialog only displays the certificates from the Local Machine that have an associated private key. All other certificates are omitted from the list.
  2. Should have the following purposes (Extended Key Usage):
    1. If the server acts only as a master VDFS server, the Replication Certificate must have Server Authentication purpose.
    2. If the server acts only as a slave VDFS server, the Replication Certificate must have Client Authentication purpose.
    3. If the server simultaneously acts as a slave VDFS server and master VDFS server, the Replication Certificate must have both Client Authentication and Server Authentication purposes.
  3. Should be valid and trusted by the peer replication servers:
    1. The slave server's Replication Certificate must be trusted on the master VDFS server.
    2. In case you use mutual authentication, the Replication Certificate installed on the master VDFS server must be trusted on the slave VDFS replication partner.
  4. The local VDFS service (NT SERVICE\vdfssvc) should have Read access to the private key of the Replication Certificate.
  5. Advanced: if you plan to use mutual authentication, the Common name of the Replication Certificate installed on the master server should match the Master server name used by the slave servers.

Self-signed replication certificates

VisualSVN Server Manager console provides a wizard to generate a self-signed Replication Certificate to simplify the configuration of VDFS in a non-domain environment. The wizard always generates self-signed certificates with both the Client Authentication and Server Authentication purposes. Therefore, the self-signed replication certificates created by VisualSVN Server Manager can be used on both master and slave VDFS servers.

A self-signed certificate is not trusted on other computers because it is not signed by a trusted Certificate Authority. To make a self-signed Replication Certificate trusted on another computer, you must manually add the certificate to the Local Machine's Trusted People store.

Note
We recommend to use certificates signed by a local or third-party Certificate Authority in case there is a strict security policy in your environment. However, it should be relatively safe to install the self-signed Replication Certificate into Trusted People certificate store. The self-signed certificate generated by VisualSVN Server is intended to be used only as a Replication Certificate and cannot be used for other purposes (for example, to sign other certificates).

Follow these steps to generate a new self-signed Replication Certificate:

  1. Start VisualSVN Server Manager console.
  2. Click Action | Properties and click the Replication tab.
  3. Click Select certificate.
  4. Click More Actions | New self-signed certificate.
  5. Follow the steps of the wizard to complete the task.

The detailed example of creating and configuring self-signed certificates for replication can be found in the article KB120: Getting started with VDFS replication in a non-domain environment.

See also

KB120: Getting started with VDFS replication in a non-domain environment
KB119: Understanding certificate-based authentication for replication
KB118: Understanding the VDFS replication settings
Last Modified: