This article describes the steps to set up and use the Windows Certification Authority to create the certificates required for SQL Server to be able to use TLS 1.2 Encrypted connections.
You will need to complete different steps depending on your environment and requirements. The following sections are covered:
Applies from the following Sophos products and versions PureMessage for Microsoft Exchange 4.0.4
These certificates must meet the following criteria:
The below section explains how to create the Certification Authority and Certificates to achieve this.
Note: Once the Certification Authority role is installed, the machine's hostname and workgroup/domain membership cannot be altered.
Note: It is recommended that you create the Certification Authority on a clean Virtual Machine as the following instructions have been seen to fail on a VM with unknown provenance.
There are 2 options for Certification Authority creation: a standalone or an enterprise certificate authority. These differ depending on your Windows network environment:
The below steps explain how to create either of these.
On a Windows server:
The following steps are taken from Microsoft Guidance on how to create Custom Certiticate Requests (Microsoft Article 730929). Using Always-On Availability Groups you will need to complete these steps for each SQL Server in the group::
The following steps here are dependant on whether a Standalone or Enterprise Certificate Authority was created in step 1. Using Always-On Availability Groups you will need to complete these steps for each Security VM you wish to deploy:
You have to import the certificate created on the SQL Server computer. In non-domain environment, the certificate of the root CA must be imported to the Trusted Root Certification Authorities logical store.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.