Encryption requested but no valid certificate was found. SQL Server terminating.

Details
Product: SQL Server
Event ID: 19015
Source: MSSQLServer
Version: 8.0
Component: SQL Engine
Message: Encryption requested but no valid certificate was found. SQL Server terminating.
   
Explanation
The Force protocol encryption option has been checked in the Server Network Utility for this SQL Server instance. This forces communication between all clients and this SQL Server instance to be encrypted through certificates. Therefore, if a certificate is not installed on the computer that is running SQL Server, or if SQL Server cannot validate that the certificate is appropriate for use with SSL-based encryption, SQL Server fails to start.
   
User Action
For a nonclustered instance of SQL Server, you can choose to turn off the Force protocol encryption option. This option is available in the Server Network Utility as a check box. Turning this option off means that connections will no longer be encrypted. However, turning this option off is not possible for a clustered instance of SQL Server because once you have enabled server-side protocol encryption, you cannot turn it off. For more information about the Force protocol encryption option on a clustered instance, see Microsoft Knowledge Base article 319349.

If you choose to use the Force protocol encryption option, you must ensure that the SQL Server instance has an available, properly configured certificate. For more information about how SQL Server uses a certificate when the Force protocol encryption option is on, see Microsoft Knowledge Base article 318605.

  • By default, SQL Server will look for a certificate issued to the fully qualified domain name of the server or virtual server on which the instance is installed. On a cluster, the certificate must exist on all nodes of the cluster. The registry key HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib (or the equivalent for a named instance) can be used to point to a certificate with a different name. The name of the key should be “Certificate” and it must be of type REG_BINARY. The setcert.exe utiltiy from the SQL Server 2000 Resource Kit can be used to set this value.
  • The certificate must exist in the Certificates\Current User Personal Certificates folder or the Certificates\Local Computer Personal Certificates folder. The SQL Server service account must have permission to access the certificate.
  • Verify that the certificate was originally issued for “server authentication” as this is the only type of certificate that SQL Server can use. To verify that the certificate is used for server authentication, use the Microsoft Management Console (MMC) Certificate snap-in. Double-click the certificate name, and then select Details. Click the Enhanced Key Usage property, and then verify that the value is:
    Server Authentication(1.3.6.1.5.5.7.3.1). There must also be a valid private key listed in the certificate properties.
  • Check the event logs for messages that indicate the certificate has expired or is otherwise unusable or inaccessible.
  • Verify that the account used to start the SQL Server service has access to the Certificate server so that it can validate the certificate.
  • Verify that the server date and time are set correctly to avoid problems with certificates that appear to be expired.

Related:

Leave a Reply