SQL Server 证书和非对称密钥SQL Server Certificates and Asymmetric Keys

适用对象:是SQL Server 是Azure SQL 数据库 是Azure Synapse Analytics (SQL DW) 是并行数据仓库APPLIES TO: yesSQL Server yesAzure SQL Database yesAzure Synapse Analytics (SQL DW) yesParallel Data Warehouse

公钥加密是一种消息保密方式,在使用这种方式时用户将创建一个“公钥”和一个“私钥” 。Public Key Cryptography is a form of message secrecy in which a user creates a public key and a private key. 私钥是保密的,而公钥可以分发给其他人。The private key is kept secret, whereas the public key can be distributed to others. 虽然密钥之间具有数学关系,但要想通过公钥推导出私钥却并不容易。Although the keys are mathematically related, the private key cannot be easily derived by using the public key. 可使用公钥加密只能通过相应私钥解密的数据。The public key can be used to encrypt data which only the corresponding private key will be able to decrypt. 这可用于加密发送给私钥所有者的消息。This can be used for encrypting messages to the owner of the private key. 同样,私钥所有者可以加密只能通过公钥解密的数据。Similarly the owner of a private key can encrypt data which can only be decrypted with the public key. 这种用法构成了数字证书的基础,其中证书所含信息由私钥所有者(假定为内容作者)进行加密。This use forms the basis of digital certificates in which information contained in the certificate is encrypted by the owner of a private key, assuring the author of the contents. 由于加密和解密密钥不同,因此称之为“非对称密钥” 。Since the encrypting and decrypting keys are different they are known as asymmetric keys.

证书和非对称密钥都属于非对称加密的使用方式。Certificates and asymmetric keys are both ways to use asymmetric encryption. 证书通常用作非对称密钥的容器,因为它们可以包含更多信息,例如过期日期和颁发者。Certificates are often used as containers for asymmetric keys because they can contain more information such as expiry dates and issuers. 这两种机制的加密算法之间存在差异,但相同密钥长度的加密强度是相同的。There is no difference between the two mechanisms for the cryptographic algorithm, and no difference in strength given the same key length. 通常,可以使用证书来加密数据库中其他类型的加密密钥,或者为代码模块签名。Generally, you use a certificate to encrypt other types of encryption keys in a database, or to sign code modules.

证书和非对称密钥可以解密其他人加密的数据。Certificates and asymmetric keys can decrypt data that the other encrypts. 通常,可以使用非对称加密来加密存储在数据库中的对称密钥。Generally, you use asymmetric encryption to encrypt a symmetric key for storage in a database.

公钥不像证书那样具有特定格式,并且不能将其导出到文件中。A public key does not have a particular format like a certificate would have, and you cannot export it to a file.

备注

SQL ServerSQL Server 包含多种功能,可用于创建和管理与服务器和数据库一起使用的证书和密钥。contains features that enable you to create and manage certificates and keys for use with the server and database. SQL ServerSQL Server 无法用于创建和管理与其他应用程序或操作系统一起使用的证书和密钥。cannot be used to create and manage certificates and keys with other applications or in the operating system.

证书Certificates

证书是一个数字签名的安全对象,其中包含 SQL ServerSQL Server的公钥(还可以选择包含私钥)。A certificate is a digitally signed security object that contains a public (and optionally a private) key for SQL ServerSQL Server. 您可以使用外部生成的证书,也可以由 SQL ServerSQL Server 生成证书。You can use externally generated certificates or SQL ServerSQL Server can generate certificates.

备注

SQL ServerSQL Server 证书符合 IETF X.509v3 证书标准。certificates comply with the IETF X.509v3 certificate standard.

证书非常有用,因为它具有将密钥导出和导入 X.509 证书文件的选项。Certificates are useful because of the option of both exporting and importing keys to X.509 certificate files. 用于创建证书的语法允许为证书使用创建选项,例如过期日期。The syntax for creating certificates allows for creation options for certificates such as an expiry date.

在 SQL Server 中使用证书Using a Certificate in SQL Server

证书可用来帮助确保连接的安全性(在数据库镜像中)、为包和其他对象签名或者加密数据或连接。Certificates can be used to help secure connections, in database mirroring, to sign packages and other objects, or to encrypt data or connections. 下表列出了 SQL ServerSQL Server中有关证书的其他资源。The following table lists additional resources for certificates in SQL ServerSQL Server.

主题Topic 描述Description
CREATE CERTIFICATE (Transact-SQL)CREATE CERTIFICATE (Transact-SQL) 介绍用于创建证书的命令。Explains the command for creating certificates.
使用数字签名标识包的源Identify the Source of Packages with Digital Signatures 显示有关如何使用证书为软件包签名的信息。Shows information about how to use certificates to sign software packages.
使用数据库镜像终结点证书 (Transact-SQL)Use Certificates for a Database Mirroring Endpoint (Transact-SQL) 提供有关如何将证书用于数据库镜像的信息。Covers information about how to use certificates with Database Mirroring.

非对称密钥Asymmetric Keys

非对称密钥用于确保对称密钥的安全性。Asymmetric keys are used for securing symmetric keys. 它们还可用于有限数据加密以及对数据库对象进行数字签名。They can also be used for limited data encryption and to digitally sign database objects. 非对称密钥由私钥和对应的公钥组成。An asymmetric key consists of a private key and a corresponding public key. 有关非对称密钥的详细信息,请参阅 CREATE ASYMMETRIC KEY (Transact-SQL)的公钥(还可以选择包含私钥)。For more information about asymmetric keys, see CREATE ASYMMETRIC KEY (Transact-SQL).

可以从强名称密钥文件导入非对称密钥,但不能将其导出。Asymmetric keys can be imported from strong name key files, but they cannot be exported. 它们也没有过期选项。They also do not have expiry options. 非对称密钥不能加密连接。Asymmetric keys cannot encrypt connections.

在 SQL Server 中使用非对称密钥Using an Asymmetric Key in SQL Server

非对称密钥可用来帮助确保数据的安全性或为纯文本签名。Asymmetric keys can be used to help secure data or sign plaintext. 下表列出了 SQL ServerSQL Server中有关非对称密钥的其他资源。The following table lists additional resources for asymmetric keys in SQL ServerSQL Server.

主题Topic 描述Description
CREATE ASYMMETRIC KEY (Transact-SQL)CREATE ASYMMETRIC KEY (Transact-SQL) 介绍用于创建非对称密钥的命令。Explains the command for creating asymmetric keys.
SIGNBYASYMKEY (Transact-SQL)SIGNBYASYMKEY (Transact-SQL) 显示用于为对象签名的选项。Displays the options for signing objects.

工具Tools

MicrosoftMicrosoft 提供了用于生成证书和强名称密钥文件的工具和实用工具。provides tools and utilities that will generate certificates and strong name key files. SQL ServerSQL Server 语法相比,这些工具在密钥生成过程中提供了更加丰富的灵活选择。These tools offer a richer amount of flexibility in the key generation process than the SQL ServerSQL Server syntax. 您可以使用这些工具创建具有更复杂的密钥长度的 RSA 密钥,然后将其导入 SQL ServerSQL ServerYou can use these tools to create RSA keys with more complex key lengths and then import them into SQL ServerSQL Server. 下表介绍了在哪里可以找到这些工具。The following table explains shows where to find these tools.

工具Tool 用途Purpose
makecertmakecert 创建证书。Creates certificates.
snsn 创建对称密钥的强名称。Creates strong names for symmetric keys.

选择加密算法Choose an Encryption Algorithm

CREATE SYMMETRIC KEY (Transact-SQL)CREATE SYMMETRIC KEY (Transact-SQL)

CREATE CERTIFICATE (Transact-SQL)CREATE CERTIFICATE (Transact-SQL)

另请参阅See Also

sys.certificates (Transact-SQL) sys.certificates (Transact-SQL)
透明数据加密 (TDE)Transparent Data Encryption (TDE)