none
Where is checkSQLssl Tool Located?

    Pertanyaan

  • Does anyone know what dir the checkSQLssl tool is located in on a 2012 Windows server with SQL Server 2016 installed?  I had requested an SSL cert to be created and want to verify it was created correctly.  I have searched high and low and found little to no information regarding this executable other than to use said to to verify an SSL cert for SQL Server.  I can't even find it on my SQL Server server instances, any advice/information regarding this utility would be greatly appreciated.

    Thanks in advance,

    Coleman


    TheColeman

    06 Oktober 2017 15:29

Jawaban

Semua Balasan

  • I've never heard of that tool, but I think to check certificates you just add certificate snap-in to an MMC console. Have you seen this?
    Add the Certificate Snap-in to an MMC
    How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console

    Also review:
    Where does SQL Server store it's Certificates

    CheckSQLssl seems to be just a command line tool, according to this article:
    Troubleshooting SSL on SQL Server

    Hope that helps,

     

    Phil Streiff, MCDBA, MCITP, MCSA

    06 Oktober 2017 15:41
  • Hey Phil!

    Yes, I have used the mmc snapin and added the certificate I was given but it fails to show up in the SQL Server configuration manager.

    Since our SQL instances run under AD accounts I logged onto the SQL Server server as the said service account and added the cert for the user to ensure the SQL Server would see it.

    I looked at that link as well but the way it speaks to the utility it sounds like a separate tool to me.

    Thank you Phil.


    TheColeman

    06 Oktober 2017 15:51
  • Maybe certificate wasn't installed correctly.

    I found a similar issue question here:
    SSL Certificate missing from SQL Server Configuration Manager

    HTH,


    Phil Streiff, MCDBA, MCITP, MCSA

    • Diedit oleh philfactor 06 Oktober 2017 15:55
    • Ditandai sebagai Jawaban oleh thecoleman 06 Oktober 2017 16:58
    06 Oktober 2017 15:53
  • Yes, I think I am going to manually register it using the thumbprint like you would a cluster, this was SQLDude's recommendation on one of his blogs located here:

    SQLDude

    Enable a certificate for SSL on a SQL Server clustered installation

    The certificate used by SQL Server to encrypt connections is specified in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate

    This key contains a property of the certificate known as thumbprint that identifies each certificate in the server. In a clustered environment, this key will be set to Null even though the correct certificate exists in the store. To resolve this issue, you must take these additional steps on each of your cluster nodes after you installed the certificate to each node):
     
    1. Navigate to the certificate store where the FQDN certificate is stored. On the properties page for the certificate, go to the Details tab and copy the thumbprint value of the certificate to a Notepad window.
    2. Remove the spaces between the hex characters in the thumbprint value in Notepad.
    3. Start regedit, navigate to the following registry key, and copy the value from step 2:
      HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib\Certificate
    4. If the SQL virtual server is currently on this node, failover to another node in your cluster, and then reboot the node where the registry change occurred.
    5. Repeat this procedure on all the nodes.


    TheColeman

    06 Oktober 2017 16:35
  • Thank you for the link Phil!  Out of that link I was able to find the command below which gave me the information I needed to verify the cert that was given to me was indeed correct. 

    It can be that the SSL certificate, which you imported, have wrong KeySpec: AT_SIGNATURE instead ofAT_KEYEXCHANGE. You can examine PFX using certutil.exe -dump -v My.pfx and search forKeySpec = 1 -- AT_KEYEXCHANGE. You can remove the certificate (export to PFX before if you not already have it as PFX) and import it once more using certutil.exe -v -importPFX My.pfx AT_KEYEXCHANGE – Oleg Apr 24 '16 at 0:15 

     

    TheColeman

    06 Oktober 2017 16:58
  • Do we know where this tool lives?  How to get it?
    11 Juli 2018 21:07