Re: Certificate Requirements for SQL Data Encryption

---

• From: "Jediah L" <rife@xxxxxxxxxxxxx>
• Date: Mon, 2 Jun 2008 08:58:41 -0400

---

I am trying to issue a certificate from an external CA that will work with
SQL Server.

So far I have tried issuing from the user template and the computer
template. For the user and computer templates I have tried various
different options: including and not including Client Authentication, and
Server Authentication in the Application Policy extension, I have tried
changing the purpose from encryption to signature to signature and
encryption, I have set the key usage to various values (Digital Signature,
Key exchange, etc).

I have a certificate that I have issued from one CA outside of our
environment that works, but I've yet to find out what the difference is
between the working certificate and the non-working certificate.

This trial and error stuff is a bit for the birds (a waste of time) - there
really should be some documentation inside of the SQL Server BOL that says
"If you are going to use a certificate that is issued from a Certificate
Authority, the certificate must be created in the following way" - I'm
looking for that documentation. Are you aware of any?

Thanks!



""Charles Wang [MSFT]"" <changliw@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:$aTCZHHxIHA.5796@xxxxxxxxxxxxxxxxxxxxxxxxx

Hi Jedian,
I am sorry that I am not sure what your meaning of key attribute
requirements for the certificates is. If you meant that you wanted to
ecrypt data in SQL Server from your existing certificates issued by your
CA, You can refer to the following steps:
1. Load your certificate to your SQL Server by using CREATE CERTIFICATE.
You may refer to:
CREATE CERTIFICATE (Transact-SQL)
http://msdn.microsoft.com/en-us/library/ms187798.aspx

2. Create a symmetric or asymmetric key to encrypt/decrpt your data. You
may refer to:
How to: Encrypt a Column of Data
http://msdn.microsoft.com/en-us/library/ms179331.aspx

If there is anything misunderstanding, please feel free to let me know. I
am glad to assist further.

Best regards,
Charles Wang
Microsoft Online Community Support
===========================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
===========================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for
non-urgent issues where an initial response from the community
or a Microsoft Support Engineer within 1 business day is acceptable.
Please note that each follow up response may take approximately
2 business days as the support professional working with you may
need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by
contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
============================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=========================================================

.

---

• Follow-Ups:
  • Re: Certificate Requirements for SQL Data Encryption
    • From: "Charles Wang [MSFT]"

• References:
  • RE: Certificate Requirements for SQL Data Encryption
    • From: "Charles Wang [MSFT]"

• Prev by Date: Re: Certificate Requirements for SQL Data Encryption
• Next by Date: SQL 2000 user not inheriting permissions from role
• Previous by thread: RE: Certificate Requirements for SQL Data Encryption
• Next by thread: Re: Certificate Requirements for SQL Data Encryption
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Certsrv and Autoenrollment problem ... Thank you for posting to the SBS Newsgroup. ... so it will not be instantiated on the template ... Certificate Authority snap-in will show the templates in the Certificate ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) HOWTO: SQL Server SSL On A Cluster ... This post describes issues concerning the implementation of SSL ... certificates on SQL Server 2000 clusters. ... cluster and failover is working, ... DC is running a certificate authority, and that the CA is configured ... (microsoft.public.sqlserver.clustering) HOWTO: SQL Server SSL On A Cluster ... This post describes issues concerning the implementation of SSL ... certificates on SQL Server 2000 clusters. ... cluster and failover is working, ... DC is running a certificate authority, and that the CA is configured ... (microsoft.public.sqlserver) Re: SQL Server 2005 SP2 fails in upgrading Database service ... Clearing the certificate had no success. ... I suspect there's a problem with the permissions of the SQL Server service ... SQL Server Database Services 2005 ENU SP2 ... This is an informational message only; no user action is ... (microsoft.public.sqlserver.setup) Re: SQL Server 2005 SP2 fails in upgrading Database service ... Clearing the certificate had no success. ... I suspect there's a problem with the permissions of the SQL Server service ... This is an informational message only; no user action is ... (microsoft.public.sqlserver.setup)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2008-06