No announcement yet.

SSL Certificate on SQL Express 2005

  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL Certificate on SQL Express 2005


    I'm trying to install a certificate on a SQL2005 server as we need to secure communications between our server and a 3rd party.

    IIS isn't installed so I've used certreq to generate the CSR, and have purchased an intranet SSL certificate from Comodo.

    The certificate name matches the FQDN of the server and has been installed as a computer certificate in the Personal store.

    The server has been restarted since installing the cert.

    When I'm in SQL Server Config Manager > Protocols for SQLEXPRESS properties > Certificate tab, I do not have the option to select the certificate that I've installed.

    In some of the many docs I've read, it has been suggested that you can manually update the reg key: HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib\Certi ficate - although I've not had much luck with this.

    The SQLExpress service is running as a network service - does it have to be Local System?

    I hope someone can shed some light on this - thanks in advance!

  • #2
    Re: SSL Certificate on SQL Express 2005

    What OS is the server running?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.


    • #3
      Re: SSL Certificate on SQL Express 2005

      Win 2003 Standard


      • #4
        Re: SSL Certificate on SQL Express 2005

        OK, what I've tried (in case anyone is reading this thread..):

        I've added the thumbprint of the installed cert to HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib\Certi ficate

        I've verified that the certificate is compatible and meets the exact requirements for this purpose, which is:

        The certificate must be in either local machine or current user certificate store.
        2) The certificate must have a good time stamp, i.e. the current system time must be in the valid time window of the certificate.
        3) The certificate must be meant for Server Authentication, i.e. the certificate's Enhanced Key Usage property has to be turned on for Server Authentication (
        4) The Certficate’s key spec must include AT_KEYEXCHANGE property. Usually, the certficate's key usage should include Key Encipherment.
        5) The certificate’s subject CN must match the FQDN of the server machine, or the FQDN of the virtual server if the server runs on failover cluster. This implies that required certificates must be provisioned on all nodes in the failover cluster.

        I've also granted Read permissions to the private key of the certificate for the network service account (that the SQLEXPRESS instance is using).

        The certificate drop down box is still blank...

        Any ideas would be greatly appreciated


        • #5
          Re: SSL Certificate on SQL Express 2005

          How did you install the certificate? I've had similar problems with SSL websites when I double clicked the cert and went through the wizard and the certificate would not show up for the website to use. The solution in those cases was to open the certificate MMC (start - run - type MMC. then click file - add snap in and select the certifcate snap in). Use the local machine snap in and import the server certificate in to the local machine personal store. Try this and then check if the cert is listed in the drop down list.

          Do you have the matching root cert for the CA installed as well? Websites will still run without it, but I'm not sure if SQL server will work over a secure connection without the key pair.


          • #6
            Re: SSL Certificate on SQL Express 2005

            Hi Brian,

            I ended up using WinHttpCertCfg to bind it after creating the self signed cert using makecert.exe

            Hope this helps someone