SQL Server SSL Certificate RRS feed

  • Question

  • Hi All,

    I am slowly getting to the bottom of applying SSL throughout my project but am stuck in the current situation and I need help please..

    Project is a Java servlet running on Windows. Java 1.6 and Tomcat 7 but connects to a SQL Server database and an Oracle database (running on unix). We have a keystore set up successfully on the servlets' server with root, intermediate certificates etc that successfully encrypts the connection to Oracle. The server team maintaining the server hosting the SQL Server database have supplied me with an SSL certificate, I am told is for accessing the SQL Server database. I am assuming it is a public key certificate.

    I am trying to apply this certificate to encrypt the network traffic to the SQL Server database. I have attempted to import the certificate into the keystore mentioned above using the Java keytool but this does not work so I deleted the certificate from the keystore again. I found the URL below which I have followed to install the certificate through MMC but cannot find how to now force Tomcat to encrypt the network traffic.


    Can someone please tell me what I am missing here please? There is loads of guidance on setting up keystores with root and intermediate certificates etc, but I cannot find any guidance on what to do in Tomcat to use a single provided SSL certificate. Do I use the Java cacerts file and import the certificate in there?

    Thanks in advance



    Friday, February 7, 2014 10:53 AM

All replies

  • Hi alanjo,

    I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated.

    Thank you for your understanding and support.

    Sofiya Li

    Sofiya Li
    TechNet Community Support

    Wednesday, February 12, 2014 3:23 AM
  • Hi alanjo,

    The URL you mentioned has explained how to use SSL encryption with SQL server and there are basically two methods: enable the Force Protocol Encryption either on the server or on the client.

    For both methods, the certificate shall be first installed on the server side (the server running sql server).

    Then you can enable the Force Protocol Encryption by following the steps mentioned on the URL.

    In case that you want to enable the Force Protocol Encryption on the client side, you have to first export the Trusted Root Certificate Authority from the server and import this to the client. Your client connection can also be verified. Then you shall be able to have your connections from the client to the sql server using SSL encryption.

    Wednesday, February 12, 2014 2:08 PM
  • Hi SQL Team - MSFT

    Thank you for your response.

    I have been looking at this further.  I have only been given one SSL certificate which I am assuming because it has a file format of ".cer" it is the public key for the certificate on the server hosting the SQL server database.  For this to work they way we want, the "clients" will not have SQL Server Configuration Manager installed, but instead will have the SSL certificate mention above stored in a Keystore set up with the "Keytool" in the Java JRE.

    I am unsure how the guys who manage the server hosting the SQL server database have set up the SSL certificate, i.e. if they have set up a root and intermediate certificate etc.  I am currently trying to get information out of them (They are not located immdiately near my location).  I have a funny feeling they have not set up the SSL at their end correctly, and I am wondering if they have just imported into the servers browser, the same public key certificate they forwarded to me.  When you say "you have to first export the Trusted Root Certificate Authority from the server and import this to the client", what part of the SSL certificate(s) do you mean?

    Do you mean the Certificate Authority root certificate and I have to import that into the client as well as the public key certificate?

    I look forward to you next feedback.



    Wednesday, February 12, 2014 4:26 PM
  • Hi Alanjo,

    For Trusted Root Certificate Authority export/import, I mean you have to import the public key certificate in the mentioned way as specified in the section "Enable encryption for a specific client". Therefore, if your server team has already finished the first step, i.e., generating a .cer file matching the step description. Then you can finish the second step, i.e., importing the generated .cer file.

    In addition, you have to make sure the certificate has been installed in the server part.

    Thursday, February 13, 2014 1:20 AM
  • Hi,

    Thanks again for a prompt response.  In your last answer you mention the "Enable encryption for a specific client" to import the certificate.  But as I said previously the client machine will not have SQL server Configuration Manager installed, so we cannot follow the instructions in "Enable encryption for a specific client" on the client machine.

    You also stated " you have to make sure the certificate has been installed in the server part".  Yes!  I am investigating with the server team to determine how exactly this was set up. 

    Can I ask, how would you set up the following then;

    1. The server running the SQL Server database is obviously a Windows machine, and this will be the SSL host and not the client.  What would be the process on this machine?
    2. Then we have another Windows server accross the internet, outside our firewall that hosts the Java servlet on Tomcat and this will be the client but will NOT have SQL Server Configuration Manager installed.  What would be the process on this machine?

    Thanks in advance for any assistance you can provide.  You guidance is appreciated.



    Thursday, February 13, 2014 10:28 AM
  • Hi, Alanjo

    1, If the client configuration is not possible in your situation, you can also find the way of using server (sql server) configuration to enable SSL at the server side, which is another solution mentioned in the URL

    2. you may also need information from this url "http://technet.microsoft.com/en-us/library/ms186362%28v=SQL.105%29.aspx"

    From a support perspective, additional questions are beyond what we can do here in the forums. If you cannot determine your answer here or on your own, consider opening a support case with us. Visit this link to see the various support options that are available to better meet your needs:  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone

    Friday, February 14, 2014 1:41 AM