Replies: 3 comments 1 reply
-
While waiting for a proper answer, in the meantime you might be able use a TLS initiator/terminator like hitch/stunnel etc. instead of relying on mssql's encryption capabilities |
Beta Was this translation helpful? Give feedback.
-
I don't think we support this legacy KeySpec option on X.509 certificates. |
Beta Was this translation helpful? Give feedback.
-
@datbq I'm not sure what's the meaning of AT_KEYEXCHANGE, but key encipherment key usage, can be added to any certificate using certificate templates. In fact, if you sign a certificate with an RSA key, key encipherment is always included using the default template: {
"subject": {{ toJson .Subject }},
"sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"]
} |
Beta Was this translation helpful? Give feedback.
-
I'm working on setting up MSSQL Server with certificate from step-ca, but from my research, the certificate's KeySpec must be AT_EXCHANGE:
The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. This requires a legacy certificate. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).
Link to document for Certificate requirements:
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?redirectedfrom=MSDN&view=sql-server-ver15#certificate-requirements
Please help me to verify this!
Beta Was this translation helpful? Give feedback.
All reactions