Where is checkSQLssl Tool Located? RRS feed

  • Question

  • Does anyone know what dir the checkSQLssl tool is located in on a 2012 Windows server with SQL Server 2016 installed?  I had requested an SSL cert to be created and want to verify it was created correctly.  I have searched high and low and found little to no information regarding this executable other than to use said to to verify an SSL cert for SQL Server.  I can't even find it on my SQL Server server instances, any advice/information regarding this utility would be greatly appreciated.

    Thanks in advance,



    Friday, October 6, 2017 3:29 PM


All replies

  • I've never heard of that tool, but I think to check certificates you just add certificate snap-in to an MMC console. Have you seen this?
    Add the Certificate Snap-in to an MMC
    How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console

    Also review:
    Where does SQL Server store it's Certificates

    CheckSQLssl seems to be just a command line tool, according to this article:
    Troubleshooting SSL on SQL Server

    Hope that helps,


    Phil Streiff, MCDBA, MCITP, MCSA

    • Edited by philfactor Friday, October 6, 2017 3:51 PM
    Friday, October 6, 2017 3:41 PM
  • Hey Phil!

    Yes, I have used the mmc snapin and added the certificate I was given but it fails to show up in the SQL Server configuration manager.

    Since our SQL instances run under AD accounts I logged onto the SQL Server server as the said service account and added the cert for the user to ensure the SQL Server would see it.

    I looked at that link as well but the way it speaks to the utility it sounds like a separate tool to me.

    Thank you Phil.


    Friday, October 6, 2017 3:51 PM
  • Maybe certificate wasn't installed correctly.

    I found a similar issue question here:
    SSL Certificate missing from SQL Server Configuration Manager


    Phil Streiff, MCDBA, MCITP, MCSA

    • Edited by philfactor Friday, October 6, 2017 3:55 PM
    • Marked as answer by thecoleman Friday, October 6, 2017 4:58 PM
    Friday, October 6, 2017 3:53 PM
  • Yes, I think I am going to manually register it using the thumbprint like you would a cluster, this was SQLDude's recommendation on one of his blogs located here:


    Enable a certificate for SSL on a SQL Server clustered installation

    The certificate used by SQL Server to encrypt connections is specified in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate

    This key contains a property of the certificate known as thumbprint that identifies each certificate in the server. In a clustered environment, this key will be set to Null even though the correct certificate exists in the store. To resolve this issue, you must take these additional steps on each of your cluster nodes after you installed the certificate to each node):
    1. Navigate to the certificate store where the FQDN certificate is stored. On the properties page for the certificate, go to the Details tab and copy the thumbprint value of the certificate to a Notepad window.
    2. Remove the spaces between the hex characters in the thumbprint value in Notepad.
    3. Start regedit, navigate to the following registry key, and copy the value from step 2:
      HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib\Certificate
    4. If the SQL virtual server is currently on this node, failover to another node in your cluster, and then reboot the node where the registry change occurred.
    5. Repeat this procedure on all the nodes.


    Friday, October 6, 2017 4:35 PM
  • Thank you for the link Phil!  Out of that link I was able to find the command below which gave me the information I needed to verify the cert that was given to me was indeed correct. 

    It can be that the SSL certificate, which you imported, have wrong KeySpec: AT_SIGNATURE instead ofAT_KEYEXCHANGE. You can examine PFX using certutil.exe -dump -v My.pfx and search forKeySpec = 1 -- AT_KEYEXCHANGE. You can remove the certificate (export to PFX before if you not already have it as PFX) and import it once more using certutil.exe -v -importPFX My.pfx AT_KEYEXCHANGE – Oleg Apr 24 '16 at 0:15 



    Friday, October 6, 2017 4:58 PM
  • Do we know where this tool lives?  How to get it?
    Wednesday, July 11, 2018 9:07 PM