locked
Problem with SQL service and certificate RRS feed

  • Question

  • I have a SQL 2012 server and it is reporting a vulnerability with a SHA-1 cert.

    The server itself currently has a couple of SHA256 certs that would seems to be able to resolve the issue already installed in it's personal certificate store.

    But when I go to SQL Server configuration manager  --> SQL Server Network Configuration right click on Protocol for the instance select properties on the certificate tab no certificate is highlighted, and on the drop down my only certificate options are 2 old SHA-1 certs.  None of the SHA256 certs.

    I tried deleting the SHA-1 cert and when I restarted SQL it generated a self signed cert, which doesn't resolve the issue.

    So I'm wondering why is SQL showing all the certs in it's personal store (they are all Server Authentication certs) and what triggered it to generate a self signed cert.

    We have many SQL servers here and no other one has this issue, but this instance was installed by a third party vendor.


    Tuesday, March 26, 2019 2:19 PM

All replies

  • Hi RMorrissey64,

    Based on my test, I can only see SHA1 certificate in SSCM too. Although SQL Server could use SHA-256 certificate, SSCM would not recognize it. When you enable Encrypted Connections to the database engine, and there is no other certificate SQL Server can use, a self-signed certificate is automatically generated and used to encrypt the connection to the TLS/SSL protocol. You can see the following message in the SQL Server error log.
    2019-03-27 10:53:53.810 spid11s      A self-generated certificate was successfully loaded for encryption.

    In order to make your SHA-256 certificates to work, you will have to edit some registry keys and enter the thumbprint of the certificate to the Certificate value. Please refer to Forced Encryption with SHA256 and Enable Encrypted Connections to the Database Engine

    Best Regards,
    Puzzle
    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com





    • Edited by Puzzle_Chen Wednesday, March 27, 2019 3:22 AM
    Wednesday, March 27, 2019 2:57 AM