October 28, 2015 at 11:09 am
Hi all,
I used the selfssl.exe tool to generate a certificate on my db server, successfully added to Personal \ Certificates in MMC, added R/W permissions for the service account to the cert, selected the new certificate in the protocols for mssql and restarted the service. So far so good, however when trying to connect from SSMS with encryption check box checked I get the following error:
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.) (Microsoft SQL Server, Error: -2146893019)
The certificate chain was issued by an authority that is not trusted.
When I look in MMC, the only intended purpose for the certificate is "Server authentication" and I'm not able to add "Client authentication". Does selfssl.exe not support client authentication? Can someone recommend another free tool that does? Thank you
October 28, 2015 at 12:06 pm
What you're running into is that the OS on the client PC (or even the local server) is that self-signed certificates aren't "trusted." The OS / client is trying to confirm that the cert is from a trusted authority (such as Verisign) and failing.
There's a couple possible solutions you could look into:
A) If possible, set up an Active Directory with it's own certificate authority and join the server with SQL Server and the client to it, issue a cert, etc. (LOT of work)
B) I believe (it's been a long time) that it's possible to tell a system to "trust" a self-signed certificate, some quick Googleing ought to provide direction
C) (Not really an option as you want a free tool, but) Actually purchase a "real" certificate from a provider such as Verisign
I believe, as well, MS includes directions on how to set up encrypted connections to SQL with a self-signed certificate, including getting the clients to "trust" the cert.
October 29, 2015 at 2:25 pm
Thank you, I found the solution.
I needed to create the certificate with the /T switch to make it trusted and had to add "TrustServerCertificate=true" to the connection parameters in SSMS.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply