How to SSL into a SQL SERVER

Hello i follow some post and i’m able to create the certificate for windows server, but whe use it into ms sql server instance when i try to connect i get the error that the certificate chain was issued by an authority trusted… however the UCS root Certificte is installed via GPO into the machine… i can access https://ucsserver without issues and the cert is valid…

Hello,

without further information about your setup it is not that easy to recommend something as we don’t know what you may have already tried. Did you import the certificate?

Best regards
Jan-Luca

@jlk thanks for he reply.

Yes i already do that… and is working if i check the trust server certificate… if i don’t “trust server certificate” then connection… image

Can you verify that UCS is registered as one of the Trusted Root Certification Authorities?

Yes its valid…
If i open ucsserver on same pc with chrome its valid
image

Sorry, I have no idea what to check. If the system is only used internally and you are aware about the implications you could of course check Trust server certificate, otherwise I would look into the SQL Server documentation if there is anything else to do when using your own CA.
Sometimes a reboot can help too…

thanks for the help…
The server was rebooted… and the root certificate was installed since 2015… then renew… and always working… now i just want to explorer and deploy sql with ssl… can’t understand that error… when the root authority is add…

@jlk and maybe @stoeckigt after read more about this i found this Create and Install a SSL/TLS Certificate for SQL Server - Codekabinett

Maybe the issue is that the certificate must be issued to the hostname so can be used in the sql server and not with fully qualified domain name… but if i run the univention-cerficate only with the hostname then the dns fully qualified name won’t work.

Hey,

the certificate should contain both FQDN and hostname as an Alternative Name. You can of course add another name too if this helps: Add Subject Alternative Names to existing Certificate

Best regards
Jan-Luca

@jlk thanks, i will take a look.

About the issue i get it sorted. The issue was in the sql… i must add permissions to the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKey for the user the run the sql server instance

1 Like