Eric M Russell - Friday, May 18, 2018 2:49 PM

Matt Miller (4) - Friday, May 18, 2018 1:17 PM

Eric M Russell - Friday, May 18, 2018 11:24 AM

My understanding is that the client only needs to have installed the root certificate of the Certificate Authority, and then the client can validate any server certificate issued by that the CA. For example, Windows comes bundled with the root certificates of dozens of external 3rd party certificate providers like VeriSign or Network Solutions, which is how SSL over https can be established with public websites. In a corporate setting that hosts it's own CA (like my scenario), the root certificate of the internal CA is installed when the workstation or application server is provisioned. In that case, an internal client can establish SSL connections to an internal database server without having to pre-install the certificate issued to that server. This would seem to be consistent with my testing, but correct me if I'm wrong about the concepts or technicals of how this stuff works.

That's correct - the children of a common CA can validate/trust the other children without needing anything else installed.  That said - pretty sure the parent cert has nothing to do with the actual key used to encrypt the communication once the trust has been set up (so the channel is still encrypted point to point from other peer machines not involved with the communication).

The CA generated certificate may be only required for server validation, as protection against spoofing. I've read that setting ForceEncrypt=YES on client or server without having installed signed certificate on server will still enable full channel SSL encryption by using a default self signed certificate that SQL Server creates itself.

In my case, I want both authentication and channel encryption, and I want it without configuring or installing anything additional on the client, which it seems can be achieved so long as client machines already have CA root certificate pre-installed.