RE: Installing SSL on SQL Server 2000

From: Jason Delaune (anonymous_at_discussions.microsoft.com)
Date: 12/03/03 

Date: Wed, 3 Dec 2003 12:21:09 -0800

Kevin,

The MSSQLServer service is running under a domain user
account. The account that I used to request the
certificate was a domain admin account. Do I need to
therefore request another certificate while I'm logged in
as the user running the MSSQLServer service? Also, which
template should I use when requesting the certificate,
Administrator or Web Server?

Thanks,
Jason

>-----Original Message-----
>previous Message:
>Hello Kevin,
>
>I've have installed an Enterprise Root CA on the domain,
and I went through
>the web form to request and install a new certificate. I
installed both an
>Administrator certificate and a Web Server certificate,
but when I choose
>to Force Encryption from the Server Network Utility, I
get an error message
>when I try restarting SQL Server.
>
>The message says something to the effect that encryption
is being
>requested, but a valid certificate does not exist. I can
see the
>certificate in the Personal folder, so I'm not sure why
I'm getting the
>error message.
>
>Can you help?
>
>Thanks,
>Jason
>---------------
>
>We use exactly the same certificate that IIS would use
to setup a SSL
>session. The new error message above indicates that the
SQL Server service
>account is not finding the certificate. So, look at the
account that is
>starting the MSSQLServer service. If the service is
started using a domain
>user account, and the certificate was requested by a
local admin, then the
>service will not be able to find the certificate.
>
>
>Thanks,
>
>Kevin McDonnell
>Microsoft Corporation
>
>This posting is provided AS IS with no warranties, and
confers no rights.
>
>
>
>.
>

Relevant Pages

  • Re: EFS recovery agent in Default Domain Policy with a self signed
    ... files), when gpo update computers, this user is defined in each file as ... If i create an certificate with MS CA, ... It does work when you request ... account that requested the certificate *at* the computer where you made the ...
    (microsoft.public.win2000.security)
  • Re: IIS 6 Directory Services Mapping ACL Problems
    ... It would appear that you can not delegate Certificate based credentials. ... IIS does not have the user's password, so it can't just logon to the remote ... file server as the user directly. ... Lastly - if you want to see what account is being used to access the remote ...
    (microsoft.public.inetserver.iis.security)
  • Re: Computer and User Certificates Issues
    ... Enrollment of User Certificates using the custom v2 User Certificate Template ... I can NOT request the custom v2 Computer Cert nor the included v1 no ... Concerning permissions, these are the exact permissions I am using now: ...
    (microsoft.public.security)
  • Re: Cannot request computer certificate.
    ... request a computer certificate for about 9 months. ... and verify that you can get a computer/server certificate from it. ... List of NetBt transports currently bound to the Redir ... DNS Host Name: srvr3.domain.com ...
    (microsoft.public.windows.server.security)
  • RE: SIMple SSL question ??
    ... OK - i would also delete a cert request file lying around. ... But a certificate is a pub key + extra info. ... That said - if someone compromises the server he will also find a way to retrieve the private key. ... traffic between the initial web server and the client. ...
    (microsoft.public.dotnet.security)