I am trying to set up SQL Server 2005 to use a test certificate from Thawte for SSL encryption. I have installed the certificate in the local computer, current user and service account's personal certificates folders. I have also installed the root certificate in the Trusted Root Certification Authorities folders of each. All this was done using MMC.
However, when I go to tell SQL Server to use the certificate, no certificates show up in the drop down box. I am using SQL Server Configuration Manager and doing the right-click\Properties\Certificate steps shown in multiple KB and forum articles.
I have also checked the registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib\Certificate. It is blank, which tells me SQL Server should be looking in the certificate store.
If I simply set the ForceEncryption flag, SQL Server starts up OK and generates a self-signed certificate. Using that, the session does get encrypted. However, I need to use a third party certificate.
I have hit a brick wall and am at a loss. Any help would be greatly appreciated.
Please check the following blog see if you certificate meets the requirements:
http://blogs.msdn.com/sql_protocols/archive/2005/12/30/508311.aspx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib\Certificate
store the hash, You can manually set the certificate hash if your does not meet all requirements. To see it in SCM, the cert must meet all requirements.
|||That blog is one of many I have been working with. Here is what I can ascertain so far-
1) It is in the local computer personal share, the current user personal share and the service (MSSQLSERVER) personal share.
2) Timestamps/system time are synched up.
3) Enhanced Key Usage contains these values-
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
4) Not sure how/where to check this.
5) Does not apply.
I have also tried to manually set the certificate in the registry by entering the thumbprint of the certificate into the Certificate key. SQL Server will not start, however, when I try that. What is the correct format for doing that?
One other factor I forgot to mention earlier is that this is being done on a VM in our test bed. Would that have any effect on how this stuff works?
Thanks!
|||Since 5) does not apply, SCM won't be able to find it. So, you can use hash to load. To do this, you need make sure your server is Yukon SP1+.
VM should not affect this if it's connect to your network.
If your cert thumbprint is
48 b7 ba ff 00 23 30 ...The format of the certificate registry should be 48b7baff002330..., i.e. remove all spaces.
For requirement 4), check the details of the cert, in field of Key Usage, it should contain Key Encipherment which is AT_KEYEXCHANGE.
|||
I am currently downloading and installing SP2.
While looking at the cert, I don't see a Key Usage field. All I see is the Enhanced Key Usage field which contains the values I listed above. I tried generating a new cert and didn't see any way to force that option either. Is there a secret to this?
Also, when entering the thumbprint do I need to prefix with 0x or anything?
Thanks!
|||You should be able to see it with:
"certutil -v -store my" from cmd window.
or try
In the Certificates snap-in, expand Certificates,
Here is the dump of certutil -
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: 2645916f2c925d570d76a61d83610494
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=Thawte Test CA Root
OU=TEST TEST TEST
O=Thawte Certification
S=FOR TESTING PURPOSES ONLY
C=ZA
NotBefore: 4/5/2007 2:06 PM
NotAfter: 4/26/2007 2:06 PM
Subject:
CN=hydra-head2.testwa.crossroads.com
OU=Thawte SSL123 certificate
OU=Go to https://www.thawte.com/repository/index.html
OU=Domain Validated
O=hydra-head2.testwa.crossroads.com
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 bb 64 f8 72 3a 54 f6 25 36
0010 fb 03 9b b8 b9 01 25 48 a7 3c 0e 5e 16 05 68 8a
0020 78 be b6 d7 18 22 93 f5 b0 2b 1c b7 c4 d0 92 fc
0030 4f 18 03 67 5e 04 4a 27 ea a6 64 fd 76 1f 8e 3a
0040 b5 f9 72 22 a3 4c 36 f9 53 2d d2 bd 26 08 72 ed
0050 19 8e e8 4d 98 a1 5d 3d 03 71 58 89 97 75 1a d7
0060 de 2b 55 8e 61 10 5c ac 43 91 c5 c9 71 25 62 ce
0070 d4 a1 cb 82 9a c3 dd 74 8e 7b b6 07 7f fa 0c 3f
0080 c3 30 97 e1 26 38 b9 02 03 01 00 01
Certificate Extensions: 3
2.5.29.19: Flags = 1(Critical), Length = 2
Basic Constraints
Subject Type=End Entity
Path Length Constraint=None
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
1.3.6.1.5.5.7.1.1: Flags = 0, Length = 26
Authority Information Access
[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.thawte.com
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 8c 41 ee 33 60 d1 76 5b 46 4f 35 b2 72 1a 1e 76
0010 a3 48 a9 d8 73 3c 00 fe 3b 25 f4 b6 d5 21 ed 40
0020 cf 00 47 6d 85 03 94 bb b4 9a 15 10 81 5b 19 19
0030 5b 44 c8 65 9b 21 b2 83 9d 24 23 1b 94 c6 7b c2
0040 50 9b eb 45 51 2c 93 e2 5f 95 d3 26 8f eb 43 b3
0050 ca 7a b3 88 fd b5 65 a4 73 c1 c2 fa b2 2a c7 e4
0060 d0 16 f9 8c d5 4b 42 b1 74 1f 71 35 d3 19 1d f3
0070 cf bb 31 5d 3c fd e5 40 e8 4d 57 f5 5b 4a 5c a1
Non-root Certificate
Key Id Hash(sha1): 2a b6 1c 2d 54 2e 6a 9c f4 17 00 40 d0 fc 35 17 63 2d 2d 31
Cert Hash(md5): b5 bd d0 79 92 0c 4d ef 92 3c 96 57 e3 bd 95 da
Cert Hash(sha1): e5 28 6e 6b a6 52 80 c5 e5 b6 c7 39 42 6a ec 90 88 72 38 97
CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
0e 33 b0 bb ad 58 85 fb ca 71 e4 36 76 24 09 70
CERT_MD5_HASH_PROP_ID(4):
b5 bd d0 79 92 0c 4d ef 92 3c 96 57 e3 bd 95 da
CERT_SHA1_HASH_PROP_ID(3):
e5 28 6e 6b a6 52 80 c5 e5 b6 c7 39 42 6a ec 90 88 72 38 97
CERT_KEY_IDENTIFIER_PROP_ID(20):
2a b6 1c 2d 54 2e 6a 9c f4 17 00 40 d0 fc 35 17 63 2d 2d 31
CERT_SIGNATURE_HASH_PROP_ID(15):
58 64 bb 17 9f ff 41 1a 89 c8 b2 28 a5 0f 26 10 f1 df 44 44
No stored keyset property
================ Certificate 1 ================
Archived!
X509 Certificate:
Version: 3
Serial Number: 0cfd25b54b764cb242f8b97915316b8f
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=hydra-head2
DC=testwa
DC=crossroads
DC=com
NotBefore: 4/5/2007 10:41 AM
NotAfter: 4/5/2012 10:49 AM
Subject:
CN=hydra-head2
DC=testwa
DC=crossroads
DC=com
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 c3 b0 88 ce 69 68 03
0010 09 7e 59 8b 0f 3f fd 9d ef 60 5f 45 41 dd 4b 8e
0020 97 23 b6 5a bd 75 b6 73 23 7f 45 f8 42 ee 4d dc
0030 12 81 f5 50 d5 bb 88 e4 83 d4 d7 8e d2 55 9c 14
0040 c0 43 8e 4e 94 d2 99 fd af e8 22 5c af 50 2b 3b
0050 00 1a 0f 62 9c 1a e8 c9 b0 66 1d 1a b8 05 3d fb
0060 08 7d fd 79 6e cc bf e7 c3 e5 34 86 f9 7e ff 88
0070 d5 e8 68 48 e4 d1 ef 39 96 2b a0 24 c8 0f af 7d
0080 b9 9e 6c de 59 de f6 09 da be d7 ab ca 77 19 bc
0090 68 00 41 67 3c 46 99 16 b8 7e 7a de a8 ad c2 08
00a0 8b f4 fb 76 aa 38 cf 35 fd f3 29 b1 fd 69 63 89
00b0 a5 4d 31 18 d6 f5 e0 f3 65 68 ac 85 df 52 7f 7d
00c0 46 fc 34 bd 23 77 3d 16 7e 0b ae d1 f2 89 6c 1e
00d0 04 5f b3 57 38 18 52 1b 1e 1c 1c 54 19 63 c6 31
00e0 48 52 fe 8f f3 0b 02 66 68 dc 20 16 81 76 ac 26
00f0 01 a4 78 67 aa 39 4b 48 04 a2 bc b4 31 c7 4d f7
0100 00 77 16 da 33 36 27 37 1f 02 03 01 00 01
Certificate Extensions: 5
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
f6 6a 65 5f 02 fd 68 36 a9 c1 a7 87 f4 83 cb 1b e0 bc 1a 9e
2.5.29.31: Flags = 0, Length = 98
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://hydra-head2.testwa.crossroads.com/CertEnroll/hydra-head2.crl
URL=file://\\hydra-head2.testwa.crossroads.com\CertEnroll\hydra-head2.crl
1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
CA Version
V0.0
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 f8 78 31 c6 95 c3 23 4e d1 ae 35 a9 17 54 c9 a9
0010 1d 90 b3 45 19 2e 87 e7 2f 4e 9f 2b ec 1a e5 56
0020 57 3b f0 12 75 bf f7 2e 7e 98 05 69 71 94 60 b2
0030 d2 3d a7 80 8e 23 ca 5f 5e 73 43 d7 b8 ea fd 62
0040 32 fb da 3d 25 e1 cd d7 a2 4d 83 e4 81 dd f8 a5
0050 f3 dd 0e 83 ae 8f 43 ae d8 7d 2d 10 3e f5 e4 7b
0060 cd 1c 24 f0 48 92 33 07 9a 02 b5 2f e8 f3 d5 84
0070 ba 5a 3f 0a 6c ee 14 d1 61 29 d4 b7 c7 34 c7 0f
0080 72 1d 91 38 f2 40 18 4a 2a 84 d7 51 5b 4a b4 02
0090 2d 53 c6 5f 5a ba 05 00 e3 de 12 91 47 69 ae 12
00a0 0d 09 45 87 6a d8 27 30 a9 75 e9 9b 90 27 7d 48
00b0 bd d0 21 b1 3e 3c e3 82 5f 63 2c 77 31 b4 ba 91
00c0 71 63 62 3f 5e 56 36 d3 24 5b e7 72 e9 c3 59 59
00d0 40 6c 2a 1e 46 b1 5c e6 f8 9e d0 83 01 64 3f 84
00e0 f3 25 dd c9 b5 10 81 01 d4 e9 e5 96 54 12 9c 43
00f0 2d 42 a0 f6 4c b5 22 26 de fa b4 e3 8f b6 c0 25
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(sha1): f6 6a 65 5f 02 fd 68 36 a9 c1 a7 87 f4 83 cb 1b e0 bc 1a 9e
Cert Hash(md5): 76 78 1d 95 5c a5 14 82 41 f4 84 26 a8 c1 a6 54
Cert Hash(sha1): 15 6c ad 1e 8c e5 f8 c5 32 e0 c8 41 ca 60 4c 9a ab ad d2 96
CERT_SIGNATURE_HASH_PROP_ID(15):
23 a9 8c 51 fb 1a 37 0c 1a 13 86 87 6e fa c7 20 d9 bd 49 82
CERT_KEY_IDENTIFIER_PROP_ID(20):
f6 6a 65 5f 02 fd 68 36 a9 c1 a7 87 f4 83 cb 1b e0 bc 1a 9e
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = hydra-head2
Provider = Microsoft Strong Cryptographic Provider
ProviderType = 1
Flags = 20
KeySpec = 2
CERT_SHA1_HASH_PROP_ID(3):
15 6c ad 1e 8c e5 f8 c5 32 e0 c8 41 ca 60 4c 9a ab ad d2 96
CERT_MD5_HASH_PROP_ID(4):
76 78 1d 95 5c a5 14 82 41 f4 84 26 a8 c1 a6 54
CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
9d d7 87 52 6e 5d f5 46 af ef ea b7 4b bb 2a d3
CERT_ARCHIVED_PROP_ID(19):
c3ffa03e8d4e3852d02c9517e827554a_3ebcabb6-dceb-40ac-b109-3c07d23ca16b
Private Key:
PRIVATEKEYBLOB
Version: 2
aiKeyAlg: 0x2400
CALG_RSA_SIGN
Algorithm Class: 0x2000(1) ALG_CLASS_SIGNATURE
Algorithm Type: 0x400(2) ALG_TYPE_RSA
Algorithm Sub-id: 0x0(0) ALG_SID_RSA_ANY
0000 52 53 41 32 RSA2
0000 ...
048c
Signature test passed
CertUtil: -store command completed successfully.
Also, the thumbprint in MMC is for the root certificate, not the test cert. Which one of these values do you put in the registry?
Thanks!
|||Your second one has Key Usage. The first one does not. Where/how do you get the cert? You can contact them why it's different than others. I'm not sure if we can support this cert(most likely not), but you can try using hash.|||These particular certs are from Thawte. The first one, I believe is their root certificate you can download. The second one is a one of their trial certs.
I put the sha1 hash for certificate 1 (15 6c ad 1e 8c e5 f8 c5 32 e0 c8 41 ca 60 4c 9a ab ad d2 96) into the registry. I am now getting the following error(s) in the log-
2007-04-05 15:34:03.96 Server Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
2007-04-05 15:34:03.98 Server (c) 2005 Microsoft Corporation.
2007-04-05 15:34:03.98 Server All rights reserved.
2007-04-05 15:34:03.98 Server Server process ID is 2496.
2007-04-05 15:34:03.98 Server Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'.
2007-04-05 15:34:03.99 Server This instance of SQL Server last reported using a process ID of 2040 at 4/5/2007 2:55:24 PM (local) 4/5/2007 7:55:24 PM (UTC). This is an informational message only; no user action is required.
2007-04-05 15:34:03.99 Server Registry startup parameters:
2007-04-05 15:34:04.01 Server -d C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf
2007-04-05 15:34:04.01 Server -e C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG
2007-04-05 15:34:04.01 Server -l C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf
2007-04-05 15:34:04.07 Server SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.
2007-04-05 15:34:04.07 Server Detected 1 CPUs. This is an informational message; no user action is required.
2007-04-05 15:34:04.46 Server Using dynamic lock allocation. Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node. This is an informational message only. No user action is required.
2007-04-05 15:34:05.12 Server Attempting to initialize Microsoft Distributed Transaction Coordinator (MS DTC). This is an informational message only. No user action is required.
2007-04-05 15:34:07.33 Server Attempting to recover in-doubt distributed transactions involving Microsoft Distributed Transaction Coordinator (MS DTC). This is an informational message only. No user action is required.
2007-04-05 15:34:07.36 Server Database Mirroring Transport is disabled in the endpoint configuration.
2007-04-05 15:34:07.47 spid5s Starting up database 'master'.
2007-04-05 15:34:07.91 spid5s Recovery is writing a checkpoint in database 'master' (1). This is an informational message only. No user action is required.
2007-04-05 15:34:08.11 spid5s SQL Trace ID 1 was started by login "sa".
2007-04-05 15:34:08.17 spid5s Starting up database 'mssqlsystemresource'.
2007-04-05 15:34:08.39 spid5s Server name is 'HYDRA-HEAD2'. This is an informational message only. No user action is required.
2007-04-05 15:34:08.41 spid9s Starting up database 'model'.
2007-04-05 15:34:08.92 spid9s Clearing tempdb database.
2007-04-05 15:34:09.30 Server Error: 26014, Severity: 16, State: 1.
2007-04-05 15:34:09.30 Server Unable to load user-specified certificate. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.
2007-04-05 15:34:09.32 Server Error: 17182, Severity: 16, State: 1.
2007-04-05 15:34:09.32 Server TDSSNIClient initialization failed with error 0x80092004, status code 0x80.
2007-04-05 15:34:09.35 Server Error: 17182, Severity: 16, State: 1.
2007-04-05 15:34:09.35 Server TDSSNIClient initialization failed with error 0x80092004, status code 0x1.
2007-04-05 15:34:09.35 Server Error: 17826, Severity: 18, State: 3.
2007-04-05 15:34:09.35 Server Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
2007-04-05 15:34:09.36 Server Error: 17120, Severity: 16, State: 1.
2007-04-05 15:34:09.36 Server SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
Based on this article http://support.microsoft.com/kb/928779, it sounds like it is an issue with the type of cryptographic service provider for the SQL Server certificate. Does this indicate some progress on getting this solved? Am I correct in this assumption?
Thanks!
|||Yes. This means the cert is invalid and we could not load/use it. You have to fix the cert issue.
No comments:
Post a Comment