locked
certificate cluster RRS feed

  • Question

  • Hi Team,

    Have a question regarding ceritifcates.

    i was trying to load certificates on standalone and clusterred instances.

    I was successfully in creating and loading the cerificate for a standalone machine where i used the certificate name same as the FQDN of the machine name and i was able to load the certificate into sql server 2005 server without any issues. am using makecert utility to create certificates.

    Now i am confusion in clusttered instance. Do i need to create the certificate in node name or sql network name.
    logically i dont think node name certificate creation would help bcz while failover it might create problems.
    Am thinking it has to be created on sql network.

    please correct me if am wrong.

    Can anyone help me any reference for blogs or any articles of creation of certificates in clusterred instance???

    That would be great help for me.

    Thanks in advance.
    Thursday, July 28, 2011 2:01 AM

Answers

  • Hi Manu,

    The note in the topic How to: Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager) explains that for encrypting connections to SQL Server you must install the server certificate with the fully qualified DNS name of the virtual server on all nodes in the failover cluster. But note that when you try to select the corresponding SSL certificate on the Certificate tab of the SQL Server Protocols properties, you will see that the installed certificate does not show up.This behavior is a known issue in a clustered installation.

    SQL Server configuration manager by default searches the local computer's personal certificates store and tries to match an existing certificate with the fully qualified domain name (FQDN) of the local computer.Since the installed certificate is not associated to the cluster node FQDN, but with the virtual SQL Server FQDN, the corresponding certificate is not shown on the GUI. For the certificate to function in this configuration you need to manually copy the thumbprint of the certificate issued to your virtual server name to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate

    For further details refer to the following two links:



    Regards, Vishal Srivastava
    Monday, August 1, 2011 8:53 AM

All replies

  • Hi Manu,

    The note in the topic How to: Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager) explains that for encrypting connections to SQL Server you must install the server certificate with the fully qualified DNS name of the virtual server on all nodes in the failover cluster. But note that when you try to select the corresponding SSL certificate on the Certificate tab of the SQL Server Protocols properties, you will see that the installed certificate does not show up.This behavior is a known issue in a clustered installation.

    SQL Server configuration manager by default searches the local computer's personal certificates store and tries to match an existing certificate with the fully qualified domain name (FQDN) of the local computer.Since the installed certificate is not associated to the cluster node FQDN, but with the virtual SQL Server FQDN, the corresponding certificate is not shown on the GUI. For the certificate to function in this configuration you need to manually copy the thumbprint of the certificate issued to your virtual server name to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate

    For further details refer to the following two links:



    Regards, Vishal Srivastava
    Monday, August 1, 2011 8:53 AM
  • Thanks Vishal. It worked for me. :-)
    Thursday, August 11, 2011 8:04 AM