SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

New Connect Item – TDE

Does the certificate matter for TDE? Apparently not as I found a number of people discussing the fact that the expiration date for certificates is not checked for TDE restores. So if your certificate expires, you can still restore the TDE backup.

However the documentation doesn’t mention this, and I think it ought to be clarified, so I submitted this Connect item. Feel free to vote if you agree:


Whether the expiration date should matter is another debate. I think it should, but I need to really think about the pros and cons of this.

Filed under: Blog Tagged: Backup/Recovery, encryption, security, sql server, syndicated

The Voice of the DBA

Steve Jones is the editor of SQLServerCentral.com and visits a wide variety of data related topics in his daily editorial. Steve has spent years working as a DBA and general purpose Windows administrator, primarily working with SQL Server since it was ported from Sybase in 1990. You can follow Steve on Twitter at twitter.com/way0utwest


Posted by K. Brian Kelley on 30 June 2011

The expiration date should matter. We're told all the time to distrust certificates that are expired. However, practically, the way it's implemented in SQL Server 2008 for TDE, it doesn't work well to force a certificate re-issue. You'd have to decrypt and re-encrypt the entire DB. That's why I was surprised that they tied TDE to a certificate like this.

Leave a Comment

Please register or log in to leave a comment.