September 15, 2005 at 9:16 am
Hi,
I am trying to implement SSL encryption on my sql server server. IIS is not installed and there is no certificate server, we use verisign certificates. I generated a CSR using certreq, that was sent to Verisign to generate the certificate. The .inf file used was as follows:
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=myserver.mydomain,O=Org,OU=Dept,L=City,S=State,C=US"
; replace with the FQDN of the DC KeySpec = 1 KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
; this is for Server Authentication
The certificate was imported, I exported the Trusted Root CA (tried with both DER encoded binary and PKCS 7), then imported that on the client.
When I try to connect to SQL server after turning on Force Protocol Encryption on the client, I get a message indicating that "Encryption is not supported on SQL Server" - so it seems it is not recognizing the certificate. I have also added a Certificate value in the ...MSSQLServer\MSSQLServer\SuperSocketNetLib key as the DNS name that we use to connect to the server is not the same as the FQDN. This value was added as a REG_BINARY and contains the thumbprint property value of the certificate.
Does anyone know what the .inf file should look like ????? - I am not certain about some of the values I used. For instance one of the docs on msdn says to check that "A private key corresponds to this certificate". I only see references to public key in the certificate properties.
I have also read that someone found that they had to have the Root CA installed before installing SQL Server in order for it to work - has anyone else had this problem. As I am using a trial certificate from verisign, I did not have the root ca in place.
There is frustratingly litte information about what should be in the .inf file for SQL Server SSL encryption.
I would appreciate any help.
Thanks,
Eva
September 19, 2005 at 4:08 pm
Hello,
Please, see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT19.asp
If it does not help then call VeriSign and visit their website for help on certificates. I had problems generating and installing SSL Certificate for WebLogic and I chatted with the VeriSign support and they were very polite and directed me right away to the correct example for WebLogic. I also had to call them and they helped me right away. Follow the link and click on the picture of a lady in the upper right corner with "Need Help? Online Chat Available Now":
http://www.verisign.com/support/ssl-certificates-support/index.html
Yelena
Regards,Yelena Varsha
September 20, 2005 at 7:00 am
Thanks Yelena. That is one of the documents I have been using, but I still can't get it to work. It did confirm that Microsoft RSA SChannel Cryptographic Provider should be used. I am still not sure about the KeyUsage (currently set to 0xa0) and the RequestType (currently PKCS10) as well as the other parameters that are set to TRUE or FALSE.
E
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply