Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / May 2008

Tip: Looking for answers? Try searching our database.

Using CA issued Certificates for SQL Certificate Encryption

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jediah L - 20 May 2008 21:17 GMT
I am trying to create a certificate in SQL Server 2005 using the CREATE
CERTIFICATE TSQL statement, however, the certificates that I have are in CER
and PFX format - for some reason, SQL Server 2005 is requiring a PVK file
rather than the Microsoft standard private key exchange format of PFX.

Anyway, I have the PFX file, and I tried to supply that as the private key,
hoping that perhaps SQL Server was smart enough to use (convert) the PFX
Microsoft standard format for private key files.... no luck....

I've found at least one freeware utility to convert PFX to PVK - however,
I'm a little cautious in using freeware utilities from unknown sources to
manipulate something as important as my certificate files.

Does anyone know how to convert PFX files to PVK files using a Microsoft
supplied toolset, or some way to get SQL 2005 to accept the PFX file?

I've found examples using makecert.exe - however, I already have the
Certificate that was issued by a trusted certificate authority that I'm
trying to use for this function, rather than making one from scratch.

Thanks in advance!

Jediah L.
Reply to this Message
Peter Yang[MSFT] - 21 May 2008 07:27 GMT
Hello Jediah,

Usually in SQL 2005 it's not necessary to use a certificate from outside
source. You could create certificate directly and it's managed by SQL
itself and protected by service master key and database key.

--USE master;

--CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Strong_Password>';

GO

CREATE CERTIFICATE HOST_A_cert

         WITH SUBJECT = 'HOST_A certificate',

         START_DATE = '05/10/2006'

GO

You could back up certificate as:

BACKUP CERTIFICATE HOST_A_cert TO FILE = 'C:\HOST_A_cert.cer';

On a different server, you could restore the certificate via:

CREATE CERTIFICATE HOST_A_cert

  AUTHORIZATION HOST_A_user

  FROM FILE = 'C:\HOST_A_cert.cer'

GO

As for PVK format certificate, you could refer to the following article for
some related information:

915852    How to use certificates for SQL Server 2005 Service Broker remote
security on multiple instances of SQL Server 2005
http://support.microsoft.com/default.aspx?scid=kb;EN-US;915852

I tried to do the following test and I encountered similar issue as you:

1. Use pvk2pfx in .net sdk tool to convert pvk/cer to pfx format.

pvk2pfx -pvk HOST_A_cert.pvk -pi fnf -pfx HOST_A_cert.pfx -po fnf -spc
HOST_A_cert.cer

2. Try to use openssl tool to convert it to pem format

openssl pkcs12 -in HOST_A_cert.pfx -out HOST_A_cert.pem -nodes

3. Use pvk to convert pem to pvk

pvk.exe -in HOST_A_cert.pem -topvk -strong -out HOST_A_cert-o.pvk

I compared the HOST_A_cert-o.pvk and HOST_A_cert.pvk and they are same size.

4. convert pem to SPC file using openssl

openssl.exe crl2pkcs7 -nocrl -certfile HOST_A_cert.pem  -outform DER -out
HOST_A_cert.spc

It seems HOST_A_cert.spc has different size from HOST_A_cert.cer

5. Try to use spc/pvk to create a certificte and I encountered the
following error:

CREATE CERTIFICATE HOST_A_cert_o
   FROM FILE = 'C:\sql\security\HOST_A_cert.spc'
   WITH PRIVATE KEY (FILE = 'C:\sql\security\HOST_A_cert-o.pvk',
   DECRYPTION BY PASSWORD = 'Password!');
GO

Msg 15468, Level 16, State 1, Line 1
An error occurred during the generation of the certificate.

I was not able to find other tool or method to convert pfx to cer
correctly. I will try to do some more research on this.

Best Regards,

Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications
<http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx>.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
<http://msdn.microsoft.com/subscriptions/support/default.aspx>.
==================================================
Signature

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message
Jediah L - 21 May 2008 17:33 GMT
Peter,

I was able to successfully create a PVK from a PFX last night and install it
into SQL and use it for encryption - but I did have to use two open source
utilities to do so (which I'm not very excited about).  In similar steps to
you, I downloaded and compiled openssl, and also utilized the PVK.exe that I
found on the internet.  I wonder why, if Microsoft uses PFX as it's standard
for private key encryption, it built SQL Server to utilize PVK....

I used the following steps:

1. Extracted PEM from PFX using openssl
2. Converted PEM to PVK using pvk.exe
3. Used CER from certificate export for public key
4. Used PVK from steps 1 & 2 for private key

In regards to the use of an external certificate - true SQL server does
support the creation of certificates, but we want to use the management
features of our Enterprise Certificate Authority to remain consistent in our
environment and also to provide additional recoverability as part of our
encryption process.

Thanks for your response!

Jediah L.

> Hello Jediah,
>
[quoted text clipped - 102 lines]
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
Reply to this Message
Peter Yang[MSFT] - 22 May 2008 04:44 GMT
Hello Jediah,

Thank you for your reply and your feedback on this feature. I agree that
there should be a convenient tool to do this in out of box features of SQL
or development products. Please rest assured that your feedback on this is
routed to the product team and they may consider this business request in
future design.

Also, your experience on this issue will certainly benefit the community
and help others who may encounter simialr issues.

If you have any further feedback or wishes on SQL Server, I encourage you
submit via the link below and our product team would like to hear your
voice:

http://lab.msdn.microsoft.com/productfeedback/default.aspx

If you have any further concerns or comments, please feel free to let's
know.

Best Regards,

Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Partner Support

=====================================================

When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from this issue.
======================================================
Signature

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message
Erland Sommarskog - 22 May 2008 23:18 GMT
> Thank you for your reply and your feedback on this feature. I agree that
> there should be a convenient tool to do this in out of box features of SQL
[quoted text clipped - 10 lines]
>
> http://lab.msdn.microsoft.com/productfeedback/default.aspx

Peter, that link is dead since a couple of years back. The correct link is
http://connect.microsoft.com/SqlServer/Feedback

Signature

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Reply to this Message
Peter Yang[MSFT] - 23 May 2008 03:59 GMT
Hello Erland,

Oh I was not aware of this. Thank you for your kind help!

Best Regards,

Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Partner Support

=====================================================

When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from this issue.
======================================================
Signature

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.