Learning to configure SQL Server to use a self-signed SSL certificate was not really part of my training plan. However, Data Explorer required SSL encryption to connect to SQL Server. On the same day I managed to make it work, the DE team released an update that waives this requirement …* sigh* …

The steps described below are just for development and tests, to connect to a local instance of SQL Server. Best practices for SSL encryption and server security may look different.

Here is a summary of how I did it on my machine (SQL Server 2008, 2012 – Express editions too -Windows 7 Ultimate).

Short version

To configure SQL Server to use a self-signed SSL certificate, you will have to:

1. Create a self-signed certificate
2. Set permissions for this certificate
3. Configure SQL Server to use this certificate

Point number 2 is the one I had most problems with. The SQL Server log had entries like these:

• “The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x8009030d. Check certificates to make sure they are valid.”
• “Unable to load user-specified certificate …”
• “… Unable to initialize SSL support. Cannot find object or property.“

Solution: Grant SQL Server rights to read the private key for the certificate.

All steps are described below.

Create a certificate

With IIS

If you have IIS on your machine:

• Start IIS Manager
• Go to Server Certificates
• Right Click > Create Self-Signed Certificate

With makecert

The process as explained by SQL Server BOL uses the makecert command line utility. Since I could not find makecert , until I had solved my problem, I did not follow BOL. You can find the tool here.

Set permissions for the certificate

Find the service account name for your SQL Server instance

• Start SQL Server Configuration Manager
• Go to SQL Server Services
• Select your instance
• Right-click Properties
• Copy the account name for later re-use

Launch the Certificates snap-in

One way to manage your certificates is to

• Launch MMC (type mmc.exe in the Windows search bar)
• Go to File > Add / Remove Snap-in …
• Select Certificates ( when prompted choose Computer Account)

Grant SQL Server rights to read the private key for the certificate.

• In MMC, go to Certificates (Local computer) > Personal > Certificates
• The certificate should be listed there. ( If  you created the certificate using makecert, you may have to import it.)
• Right click > All Tasks > Manage Private Keys
• Add the service account for your instance of SQL Server
• Give the service account Read permissions

Configure SQL Server to use this certificate

• Start SQL Server Configuration Manager
• Go to SQL Server Network configuration
• Select your instance
• Right-click > Properties > Certificate tab
• Choose the certificate you just created
• Restart the service

Conclusion

I tried to make this post as detailed as possible, but not too detailed. Any questions, suggestions, or corrections? Use the comments below.