 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / July 2008Certificate Requirements for SQL Data Encryption
We are in the process of attempting to issue certificates from our Enterprise CA to use in SQL encryption. I can not find documented anywhere what the key attribute requirements are (Key Usage and Application Policies, etc.) for the Certificates. I understand that SQL Server can issue it's own certificates, but for management and consistency, we would like to issue them from our Enterprise CA. Could someone point me to this documentation? Thanks! Jediah L. Hi Jedian, I am sorry that I am not sure what your meaning of key attribute requirements for the certificates is. If you meant that you wanted to ecrypt data in SQL Server from your existing certificates issued by your CA, You can refer to the following steps: 1. Load your certificate to your SQL Server by using CREATE CERTIFICATE. You may refer to: CREATE CERTIFICATE (Transact-SQL) http://msdn.microsoft.com/en-us/library/ms187798.aspx 2. Create a symmetric or asymmetric key to encrypt/decrpt your data. You may refer to: How to: Encrypt a Column of Data http://msdn.microsoft.com/en-us/library/ms179331.aspx If there is anything misunderstanding, please feel free to let me know. I am glad to assist further. Best regards, Charles Wang Microsoft Online Community Support =========================================================== Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. =========================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ============================================================  SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= I am trying to issue a certificate from an external CA that will work with SQL Server. So far I have tried issuing from the user template and the computer template. For the user and computer templates I have tried various different options: including and not including Client Authentication, and Server Authentication in the Application Policy extension, I have tried changing the purpose from encryption to signature to signature and encryption, I have set the key usage to various values (Digital Signature, Key exchange, etc). I have a certificate that I have issued from one CA outside of our environment that works, but I've yet to find out what the difference is between the working certificate and the non-working certificate. This trial and error stuff is a bit for the birds (a waste of time) - there really should be some documentation inside of the SQL Server BOL that says "If you are going to use a certificate that is issued from a Certificate Authority, the certificate must be created in the following way" - I'm looking for that documentation. Are you aware of any? Thanks! > Hi Jedian, > I am sorry that I am not sure what your meaning of key attribute [quoted text clipped - 44 lines] > rights. > ========================================================= Hi Jediah, I recommend that you directly give Microsoft feedback at the bottom of this article: CREATE CERTIFICATE (Transact-SQL) http://msdn.microsoft.com/en-us/library/ms187798.aspx Appreciate your understanding that the documents are huge and it is very hard to cover every aspect when we initially release them. Your feedback will help us enrich our contents and have them become more helpful. Regarding your non-working certificate, based on my current test, I could not reproduce your issue at my side. I used a certificate from my Certificate Authority, however I noticed that you said "So far I have tried issuing from the user template and the computer template. For the user and computer templates I have tried various different options: including and not including Client Authentication, and Server Authentication in the Application Policy extension, I have tried changing the purpose from encryption to signature to signature and encryption, I have set the key usage to various values (Digital Signature, Key exchange, etc)." , it seemed not from CA, could you please elaborate this phase and your process to load a certificate in SQL Server 2005 so that I can perform further checking? Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Charles, So after trying another 25 or so certificates and various configurations, I have found that I can't even load the public key of any of these certificates that I have issued from our internal CA, while I can load the public certificates from an external CA. Both internal and external (as I'm referring to them) are certificates that are issued from Microsoft Enterprise Certificate Authorities and are fully functional otherwise. The documentation also seems to suggest that I can load certificates from the certificate store - but there is also no documentation that shows how to do that... Could I send you the public cert that is working, and the one that isn't working, and you take a look and possibly come up with a reason as to why one is working and the other not? The errors are very non-descript just saying that the certificate can't be loaded... both are valid certificates, and I've tried matching the certificates as exactly as I could, but still no go. Thanks! > Hi Jediah, > I recommend that you directly give Microsoft feedback at the bottom of [quoted text clipped - 35 lines] > rights. > ========================================================= Charles, Here is what I am doing: 1. Create a Certificate Template for the SQL Encryption 1a. Duplicate the User Template call new template SQL Encryption 1b. Under the General Tab set the Validity Period to 2 years 1c. Check Publish in Active Directory 1d. Under Request Handling set the Purpose to Encryption 1e. Allow private key to be exported, minimum key size 1024 bit, enroll subject without user input 1f. Under Subject Name choose supply in the request 1g. Under Extensions 1h. Remove all application policies (I've tried various different settings for this, none seem to matter) 1i. Under Key Usage Extension only set Allow Key exchange only with Key encryption (I've tried various different settings for this, non seem to matter). 2. Create INF file for certificate request (can do this by hand or use the RequestEditor.exe that came with the Microsoft Press PKI book). 2a. Here is my INF file [Version] Signature = $Windows NT$ [NewRequest] KeyLength = 1024 Exportable = True MachineKeySet = True SMIME = False Subject="CN=SQL Encryption" [Note: I've tried various Subjects, they don't seem to matter] 2b. Create certificate request file using INF file certreq -new -attrib "CertificateTemplate:SQLEncryption" input.inf output.req 2c. Submit request to Enterprise CA certreq -submit output.req publiccert.cer certchain.p7b 2d. Accept certificate request certreq -accept certchain.p7b 3. Export PFX file for previously created certificate 3a. Run through private key export wizard and create PFX file. 4. Convert PFX file to PVK file (Microsoft requires PVK file format) 4a. Download and install or compile OpenSSL 4b. Run the following command to create PEM file from PFX file openssl pkcs12 -in [pfxinputfile] -nocerts -nodes -out [pemoutputfile] 4c. download pvk.exe utility from web 4d. Run the following command to create the PVK file from the PEM file pvk -in [pemfile] -topvk -out [pvkoutputfile] 5. Install certificate into SQL Server 5a. Run the create certificate command create certificate cert2 from file = 'c:\temp\public.cer' with private key (file='c:\temp\created.pvk', decryption by password = 'password_used_in_pvk_command') Everything works file, except the very last command for the create with throw the following error with or without the WITH PRIVATE KEY option: "An Error occrred during the generation of the certificate". > Hi Jediah, > I recommend that you directly give Microsoft feedback at the bottom of [quoted text clipped - 35 lines] > rights. > ========================================================= Hi Jediah, You can mail me (changliw_at_microsoft_dot_com) your working and non-working certificates for further research. Now I am performing research according to your detailed steps and may need more time to get back to you. I appreciate your patience. Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Hi Logiodice, Thank you for your email response. Your certificate also did not work at my side. Anyway I did not put much time on this error. I read your steps at the newsgroup, however I would like to know why you used such a complex step to get the certificate and the private key (.pvk). Since you are using Microsoft Enterprise CA, you can simply acquire a certificate via accessing http://your_CA_server/certsrv and taking the following steps: 1. Click the link "Request a certificate"; 2. Click "Or, submit an advanced certificate request"; 3. Click "Create and submit a request to this CA"; 4. Select your Certificate Template issued in your CA, check "Create new key set", check "Mark keys as exportable" and check "Export keys to file", and input the path to save the private key file, check "Store certificate in the local computer store", input a Friendly Name and click Submit 5. Input the password during generating the certificate process, after the step, the private key file was created and then you can download the certificate by clicking "Download certificate". 6. Then you can create the certificate in your SQL Server 2005 with the T-SQL statement as you showed. In addition, there are some different settings on Certificate template between yours and mine. Please refer to the following: 1. On Extensions tab, I added "Client Authentication" and "Server Authentication" to the Application policy list; For Key Usage, I check "Allow encryption for user data"; 2. On Security tab, I give "Read", "Write" and "Enroll" permissions to Domain Users group. Could you please check if my steps worked for you? Please feel free to let me know if you have any questions or concerns. Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Charles, I have used certificates that have been allowed client and server authentication (the one that I sent you allowed for ALL policies), and I have also chosen the Allow encryption for user data as well. Our Read | Write | Enroll permissions are applied to a specific user group instead of a domain user group; but that wouldn't have any bearing on the certificate usage just the enrollment. As far as the complex steps to get to the PVK, it's because we have no web interface on our certificate authority (for security reasons). I will create a new certificate with the options you have asked about below and send it on either later today or tomorrow. Thanks! > Hi Logiodice, > Thank you for your email response. [quoted text clipped - 45 lines] > rights. > ========================================================= Hi Logiodice, Thanks for your response. Yes, the issue still persists. Since your steps contain some third party tools which are out of Microsoft support boundary, I could not directly perform the test in our working environment. However compared my test result with yours, I think that this issue was most likely caused by incompatible file format produced by your OpenSSL or PVK utility. I would like to attach my working certificate in email so that you can perform a test to see if it works at your side. If it works I recommend that you at least have one client computer get the certificates via Web access http://servername/certsrv. Then you can dispatch the certificates to other computers. Please feel free to let me know if you have any other questions or concerns. Have a nice day! Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Charles, My working certificate went through the same openssl and pvk process, however, if this is the case then Microsoft needs to supply a toolset to convert their x509 to PVK. I asked for a utility before on the forums, but was told that no such Microsoft util existed, but there was an agreement that there should be. Is this SQL Server functionality not enterprise ready? Thanks! > Hi Logiodice, > Thanks for your response. [quoted text clipped - 27 lines] > rights. > ========================================================= Hi Jediah, I think that the tool for converting x509 to PVK should be a separate utility not only used by SQL Server but also by many other applications. It is better if Windows OS can include the tool. However I have not found an official tool for implementing this function by Microsoft. Anyway I will try consulting our security team to see if they have any good suggestions. I will update you as soon as possible. Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Thank you! I'm looking forward to a response! > Hi Jediah, > I think that the tool for converting x509 to PVK should be a separate [quoted text clipped - 20 lines] > rights. > ========================================================= Hi Jediah, Unfortunately I have not been able to get any suggestions from our product team. In this case, could you please give Microsoft your feedback at https://connect.microsoft.com/sql so that our product team can hear your voice directly and improve the feature in future. You may be able to get email notifications when our product team responds to your feedback. If you have any other questions or concerns, please feel free to let me know. Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Charles, So is it a fair assessment to state that Microsoft SQL Server data encryption is not enterprise ready? I need to bring this feedback to our Enterprise Architecture team so that we can make a decision on utilizing it. Thank you. > Hi Jediah, > Unfortunately I have not been able to get any suggestions from our product [quoted text clipped - 19 lines] > rights. > ========================================================= Hi Jediah, Though the certificate generated from your third party tool did not work for SQL Server 2005 data encryption, I do not think that we can conclude that SQL Server 2005 data encryption is not enterprise ready. Actually regarding such issue, it is hard to say if the issue is at SQL Server side or your third party tools' side now. There might be some underlying issues need tracking. However this job is beyond the support boundary of our managed newsgroup. If you are very concerned with this issue, I recommend that you contact your third party tools vendor for further consulting, or you can contact Microsoft Customer Support Services (CSS) via telephone so that a dedicated Support Professional can assist you in a more efficient manner. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below. http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US please see http://support.microsoft.com for regional support phone numbers. Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Sorry for the delay, I have been trying to get caught up on other priorities. As an enterprise customer - I would significantly differ on your conclusion. The SQL Server encryption functionality does not work seemlessly with our functional implementation of the Microsoft Enterprise Certificate Authority (which is an enterprise ready tool). It seems to work well if you disregard an enterprise implementation of a certificate authority, or if you implement your Certificate Authority in a very specific way (i.e. support web-enrollment). Using the built in functionality of SQL Server for encryption key management is nice for small shops, not, however, for an enterprise implementation. So far, the problems I keep having with SQL Server encryption - I am continuously told "Provide the team feedback and maybe they'll make it better in the future". As an enterprise customer, we don't willingly beta-test Microsoft software (although it seems like using any Microsoft product requires a continuous mindset that you are indeed a beta-tester). Conclusion: Due to the continuous problems that have no resolution, the lack of general use & support out in the internet and on the newsgroups for a standard enterprise configuration, there is no other option but to come to the conclusion that SQL Server encryption is not an enterprise ready solution. That is the conclusion we will be sending to our Management organization. Thank you for your help! > Hi Jediah, > Though the certificate generated from your third party tool did not work [quoted text clipped - 31 lines] > rights. > ========================================================= thx for sharing > Charles, > [quoted text clipped - 61 lines] > > rights. > > ========================================================= Hello! You wrote on Fri, 30 May 2008 15:04:02 -0400: JL> Could someone point me to this documentation? You can try using CREATE CERTIFICATE command to create a new certificate, then export that certificate and investigate the extensions set. This will be easier than try to find someone competent in both PKI and SQL Server. With best regards, Eugene Mayevski http://mayevski.blogspot.com/ Hello! You wrote to Jediah L on Mon, 2 Jun 2008 08:35:31 +0300: JL>> Could someone point me to this documentation? EM> You can try using CREATE CERTIFICATE command to create a new Description for CREATE CERTIFICATE has the following remark: "A certificate is a database-level securable that follows the X.509 standard and supports X.509 V1 fields. " If I remember correctly, X.509v1 didn't include extensions that you were asking about. So maybe those extensions are just not included. With best regards, Eugene Mayevski http://mayevski.blogspot.com/ After a long and arduous attempt @ getting these certificates working, we have come to the conclusion that the current SQL Server Encryption solution is not enterprise ready. The current version has a lot more functionality than the previous - so here's to hoping that 2008 will be better in this respect! Thanks! > Hello! > You wrote to Jediah L on Mon, 2 Jun 2008 08:35:31 +0300: [quoted text clipped - 13 lines] > Eugene Mayevski > http://mayevski.blogspot.com/ |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.