Certificate Management (SQL Server Configuration Manager)

Applies to: SQL Server - Windows only

This article describes how to deploy and manage certificates across your SQL Server Always On Failover Cluster Instance (FCI) or Availability Group (AG) topology.

SSL/TLS certificates are widely used to secure access to SQL Server. With earlier versions of SQL Server, organizations with large SQL Server estates had to spend considerable effort to maintain their SQL Server certificate infrastructure, often through developing scripts and running manual commands.

With SQL Server 2019 (15.x) and later versions, certificate management is integrated into the SQL Server Configuration Manager, which simplifies the following common tasks:

  • View and validate certificates installed in a SQL Server instance.
  • Identify which certificates may be close to expiring.
  • Deploy certificates across AG machines from the node holding the primary replica.
  • Deploy certificates across FCI machines from the active node.

Note

You can use certificate management in SQL Server Configuration Manager with earlier versions of SQL Server, starting with SQL Server 2008 (10.0.x).

Install a certificate for a single SQL Server instance

  1. In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration.

  2. Right-click Protocols for <instance Name>, and then select Properties.

  3. Choose the Certificate tab, and then select Import.

  4. Select Browse and then select the certificate file.

  5. Select Next to validate the certificate. If there are no errors, select Next to import the certificate to the local instance.

  1. In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration.

  2. Right-click Protocols for <instance Name>, and then select Properties.

  3. Select a certificate from the Certificate dropdown list, and then select Apply.

  4. Select OK.

Install a certificate in a failover cluster instance configuration

  1. In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration.

  2. Right-click Protocols for <instance Name>, and then choose Properties.

  3. Choose the Certificate tab, and then select Import.

  4. Select the certificate type, and whether to import for the current node only, or for each individual cluster node.

  5. If installing for a single node, choose Browse and select certificate file. Then skip to step 8.

  6. If installing a certificate for each node, select Next to list possible owner nodes. Possible owners for the current FCI are preselected.

  7. Choose Next to select the certificate to be imported.

  8. Enter the password when prompted. Look for any warnings or errors after validation.

  9. Select Next to import the selected certificates.

Note

Complete these steps in the active node of the FCI. User must have administrator permissions on all the cluster nodes.

Install a certificate in an availability group configuration

  1. In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration.

  2. Right-click Protocols for <instance Name>, and then select Properties.

  3. Choose the Certificate tab, and then select Import.

  4. Choose the certificate type and select Next to select from the list of known AGs.

  5. Select Next to choose certificates for each replica node. Certificates should have a file name that matches the netbios name of the nodes.

  6. Select Next to import the certificate on each node.

Note

Complete these steps from the node holding the AG primary replica. User must have administrator permissions on all the cluster nodes.

Next steps