locked
Database mirror certificate expired RRS feed

  • Question

  • anyone has the experience to solve this?
    Monday, June 11, 2007 11:01 PM

Answers

  • Certificate lifetimes cannot be extended.

    For each machine that has an expired cert, here are the steps to replace the cert. I'll call the instance that has the cert expired M1, the peer M2:

    1) on M1: create a new certificate in [master]

    2) on M1: export (backup) the public key part of the cert

    3) on M2: restore the cert, under the same owner (authorization) as the old cert on the peer

    4) on M1: alter the endpoint to use the new cert (ALTER ENDPOINT ... FOR DATABASE_MIRRORING (AUTHENTICATION = [new_cert])

    5) on M1: drop the old cert

    6) on M2: drop the old cert

     

    You'll probably gonna have to repeat the steps on the other direction as well (swap M1 with M2) since most likely the peer's cert is also expired.

    Monday, June 18, 2007 4:34 PM

All replies

  • what do you mean by "dbm certificate expired"? is this the certificate assigned to the mirroring endpoints?
    Wednesday, June 13, 2007 4:29 PM
  • yes, the certificate which used to encrypt the endpoint has expired. could you give me some advice about how to change the certificate or extend the lifttime of this certificate?

    appreciate.

    thanks.
    Friday, June 15, 2007 10:39 PM
  • Certificate lifetimes cannot be extended.

    For each machine that has an expired cert, here are the steps to replace the cert. I'll call the instance that has the cert expired M1, the peer M2:

    1) on M1: create a new certificate in [master]

    2) on M1: export (backup) the public key part of the cert

    3) on M2: restore the cert, under the same owner (authorization) as the old cert on the peer

    4) on M1: alter the endpoint to use the new cert (ALTER ENDPOINT ... FOR DATABASE_MIRRORING (AUTHENTICATION = [new_cert])

    5) on M1: drop the old cert

    6) on M2: drop the old cert

     

    You'll probably gonna have to repeat the steps on the other direction as well (swap M1 with M2) since most likely the peer's cert is also expired.

    Monday, June 18, 2007 4:34 PM
  • Remus, thanks you very much.
    Monday, June 18, 2007 4:58 PM
  • Hi Remus I also have a question. When initially creating the certificates is there a way to specify the validity? By default I saw it is 1 year. Maybe put 5 years right from the beginning...

     

    salut

    Thursday, July 19, 2007 3:45 AM
  • got it

     

    CREATE CERTIFICATE xxx_cert
       WITH SUBJECT = 'xxx certificate for database mirroring',
    EXPIRY_DATE = '12/31/2020';
    GO

    Friday, July 20, 2007 7:13 PM
  • with regards to certs that last 18 years.... thats a long time. even if they are already 7 years old

    Sunday, January 20, 2008 3:35 AM