Applies to: VisualSVN Server 3.7 and later
Replication Certificate is a conventional SSL/TLS certificate that conforms to the requirements listed below. You have to configure Replication Certificates on both master and slave servers in order to use certificate-based authentication for replication.
An appropriate Replication Certificate:
Should be installed in the Local Machine certificate store and have an
associated private key.
Tip The Replication Certificate Selection dialog only displays the certificates from the Local Machine that have an associated private key. All other certificates are omitted from the list.
Should have the following purposes (Extended Key Usage):
- If the server acts only as a master VDFS server, the Replication Certificate must have Server Authentication purpose.
- If the server acts only as a slave VDFS server, the Replication Certificate must have Client Authentication purpose.
- If the server simultaneously acts as a slave VDFS server and master VDFS server, the Replication Certificate must have both Client Authentication and Server Authentication purposes.
Should be valid and trusted by the peer replication servers:
- The slave server's Replication Certificate must be trusted on the master VDFS server.
- In case you use mutual authentication, the Replication Certificate installed on the master VDFS server must be trusted on the slave VDFS replication partner.
- The local VDFS service (NT SERVICE\vdfssvc) should have Read access to the private key of the Replication Certificate.
- Advanced: if you plan to use mutual authentication, the Common name of the Replication Certificate installed on the master server should match the Master server name used by the slave servers.
Self-signed replication certificates
VisualSVN Server Manager console provides a wizard to generate a self-signed Replication Certificate to simplify the configuration of VDFS in a non-domain environment. The wizard always generates self-signed certificates with both the Client Authentication and Server Authentication purposes. Therefore, the self-signed replication certificates created by VisualSVN Server Manager can be used on both master and slave VDFS servers.
A self-signed certificate is not trusted on other computers because it is not signed by a trusted Certificate Authority. To make a self-signed Replication Certificate trusted on another computer, you must manually add the certificate to the Local Machine's Trusted People store.
Follow these steps to generate a new self-signed Replication Certificate:
- Start VisualSVN Server Manager console.
- Click Action | Properties and click the Replication tab.
- Click Select certificate.
- Click More Actions | New self-signed certificate.
- Follow the steps of the wizard to complete the task.
The detailed example of creating and configuring self-signed certificates for replication can be found in the article KB120: Getting started with VDFS replication in a non-domain environment.
See alsoKB120: Getting started with VDFS replication in a non-domain environment
KB119: Understanding certificate-based authentication for replication
KB118: Understanding the VDFS replication settings