Install PFX Certificate on SQL Server 2008 R2 – How to Install a PFX Certificate on SQL Server 2008 R2

certificatesql serversql-server-2008-r2windows

We have a MS SQL 2008 R2 service running on a Windows 7 computer. I've developed a webapplication that runs on a Digital Ocean droplet. This droplet makes a connection with this computer through a subdomain "sql.client-domain.ext" (fictive domain name).

There is a firewall which only allows connections from the droplet to the computer where SQL service is running.

I want an encrypted connection between the droplet and the computer. I've purchased a certificate.

On my local test machine I've installed the PFX certificate in the personal folder (in MMC). I've added the 'NETWORK SERVICE' user with READ permissions for the certificate key.

In the SQL management console, I can't see the certificate anywhere. I tried with service restarts, nothing.

I've also tried to change the hostname to the subdomain and added the subdomain in the hosts file under the Windows directory.

EXEC sp_addserver 'sql.client-domain.ext', local; 

Host file: 127.0.0.1 sql.client-domain.ext

I can connect in the SQL client program to sql.client-domain.ext but I can't pick the certificate.

I only need the certificate for TCP connections, not local connections.

Any hints or experienced advice?

Best Answer

Plase try to follow this steps:

Launch the Microsoft Management Console. Select File > Add/Remove snap-in:

Add a Certificates snap-in:

Select “Computer account”:

Use the Local Computer:

With the snap-in now configured, right-click on the “Personal” certificate store folder, select All Tasks > Import:

Use the certificate import wizard to select the .PFX file to import. In either case, follow the import wizard instructions. Enter the password set when the PFX file was created. Ensure that “Include all extended properties” is selected:

Select “Place all certificates in the following store” and choose the “Personal” store:

Once the certificate has been imported, SQL Server must be configured to use it. The SQL Server configuration manager for SQL Server 2008/R2 has an option to set the certificate associated with an instance, by opening the “SQL Server Networking Configuration,” right-clicking on “Protocols for ,” and opening the Certificate tab. However, this method cannot be used to select any certificate other than a machine certificate for servers that belong to a domain.

Find the “Thumbprint” of the certificate, and copy it to the clipboard. In the certificate management console, it can be found by opening the certificate, selecting the “Details” tab, scrolling to the bottom of the field list, and selecting “Thumbprint”:

After locating the thumbprint, copy it out of the certificate viewer, paste it into notepad, remove all of the spaces, and copy the modified thumbprint back to the clipboard. Be careful – it’s easy to make a mistake.
- Open regedit
- Navigate to: HKLM\Software\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib
- Locate the “Certificate” entry
- Assign its value to the thumbprint copied out of the certificate, e.g.:

The instance must be restarted for the changes to take effect.

Related Solutions

Sql-server – SQL Server 2008 encrypted connection using multiple server names

I'm pretty sure that you'll need a certificate which has multiple CNs not one with DNS entries.

The certificate was generated using Web Server template.

I don't think that's the correct template. I don't have access to a CA at the moment, but I don't think that template uses the correct server authentication certificate. The note in my book says:

The certificate must be a server authentication certificate that requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1). The certificate must also be created using the KeySpec option of AT_KEYEXCHANGE; optionally the key usage property will include key encipherment.

SQL Server – How to Set Up Encrypted Connection

To create a certificate for SSL encryption for SQL Server you need a certificate for Server authentciation. That is [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1

If you want to manually create a certificate for this using Windows Certificate services you need to do it like this.

(http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx)

Create a file named cert.inf

[NewRequest]
Subject = "CN=*FQDN*"
HashAlgorithm =  SHA256
KeyLength = 2048
Exportable = TRUE
KeySpec = 1
KeyUsage = 0x20
MachineKeySet = TRUE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12 
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[RequestAttributes]
CertificateTemplate= WebServer

And then generate the certificate using CERTREG.EXE

Certreq –new cert.inf cert.req
Certreq –submit cert.reg

To do the same using OpenSSL

# generate key    
openssl genrsa -des3 -out server.key 2048

# remove pass
openssl rsa -in server.key -out server.key

# generate sign request, be sure to include the correct FQDN
# (host name followed by primary dns suffix)
openssl req -new -key server.key -out server.csr

# generate self signed certificate
openssl x509 -req -in server.csr -signkey server.key -out server.crt

# include both the certificate and the private key in a PKCS12 keystore
# (leave the export key empty)
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt

In both cases you end up with a CRT that you can import to the machine store of the SQL Server and then use the SQL server configuration manager to encrypt the connections. You will have to trust the root certificate in the latter case though and in the former case, if you are not running on a domain you will have to install the root certificate for the windows CSA on both the machines

Best Answer

Related Solutions

Sql-server – SQL Server 2008 encrypted connection using multiple server names

SQL Server – How to Set Up Encrypted Connection

Related Question