SSL Certificate & Availability Group Question

  • Hello-

    I hope someone can help with this..

    I have 4 servers below and would like to confirm my thought is correct by ordering 4 separate SSL certificates *with each separate SQL instance name* or order 1 with only the AG name and import the SSL certificate to each individual SQL instance.

    AGSQLPROD_AG (AG Name)

    -        SQLPRODServer1 (primary)

    -        SQL PRODServer2(Secondary

    -        SQLPRODServer1DR (DR Site)

    -        SQLPRODServer2DR (DR Site)

    My thought is that since the AG listener will failover to any of the nodes below, the DNS should take care of any connection issues, therefore I should not create any SSL certificates with the AG name and instead create 4 SSL certificates with the physical SQL instance names.

    Any input is greatly apricated!

     

    Thanks

    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
    • This topic was modified 10 months, 2 weeks ago by  cwilliams21.
  • Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

  • Personally, I would do a single wildcard certificate. you will need the hostname of each SQL server however and the listeners at minimum

  • SSL uses the FQDN - if someone is connecting to SQL Server using listener.domain.com then the certificate must have that same name.  If it doesn't have the same name then it cannot create the SSL connection.

    What I would do is request a certificate with all of the possible FQDN entries that would be used - with the listener name being the primary and all other names setup as a SAN (Subject Alternative Name) on that certificate.

    Installing that certificate on all nodes will then allow someone to connect directly to the instance by node name, listener name - or any other DNS aliases that have been defined and setup as a SAN entry on the certificate.

    Jeffrey Williams
    “We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”

    ― Charles R. Swindoll

    How to post questions to get better answers faster
    Managing Transaction Logs

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply