Re: Certificate Requirements for SQL Data Encryption

Charles,



I have used certificates that have been allowed client and server
authentication (the one that I sent you allowed for ALL policies), and I
have also chosen the Allow encryption for user data as well. Our Read |
Write | Enroll permissions are applied to a specific user group instead of a
domain user group; but that wouldn't have any bearing on the certificate
usage just the enrollment.



As far as the complex steps to get to the PVK, it's because we have no web
interface on our certificate authority (for security reasons). I will
create a new certificate with the options you have asked about below and
send it on either later today or tomorrow.



Thanks!





""Charles Wang [MSFT]"" <changliw@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:QJwrPUxxIHA.1784@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Logiodice,
Thank you for your email response.

Your certificate also did not work at my side. Anyway I did not put much
time on this error.

I read your steps at the newsgroup, however I would like to know why you
used such a complex step to get the certificate and the private key
(.pvk).
Since you are using Microsoft Enterprise CA, you can simply acquire a
certificate via accessing http://your_CA_server/certsrv and taking the
following steps:
1. Click the link "Request a certificate";
2. Click "Or, submit an advanced certificate request";
3. Click "Create and submit a request to this CA";
4. Select your Certificate Template issued in your CA, check "Create new
key set", check "Mark keys as exportable" and check "Export keys to file",
and input the path to save the private key file, check "Store certificate
in the local computer store", input a Friendly Name and click Submit
5. Input the password during generating the certificate process, after the
step, the private key file was created and then you can download the
certificate by clicking "Download certificate".
6. Then you can create the certificate in your SQL Server 2005 with the
T-SQL statement as you showed.

In addition, there are some different settings on Certificate template
between yours and mine. Please refer to the following:
1. On Extensions tab, I added "Client Authentication" and "Server
Authentication" to the Application policy list; For Key Usage, I check
"Allow encryption for user data";
2. On Security tab, I give "Read", "Write" and "Enroll" permissions to
Domain Users group.

Could you please check if my steps worked for you? Please feel free to let
me know if you have any questions or concerns.



Best regards,
Charles Wang
Microsoft Online Community Support
=========================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
=========================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=========================================================



.

Relevant Pages

  • Re: Need help configuring Wireless Connection profile
    ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless ... Vaillancourt,4155,1,4154,Use Windows authentication for all ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Need help configuring Wireless Connection profile
    ... "point" the info of the Radius authentication to your current Radius server. ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Need help configuring Wireless Connection profile
    ... I have an SBS 2003 server and a Server 2003 member server set up using RADIUS ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP ... Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Need help configuring Wireless Connection profile
    ... "point" the info of the Radius authentication to your current Radius server. ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)