介绍 (Introduction)

Certificate Management in SQL Server 2019 has been enhanced a lot when compared with previous versions of SQL Server, and it is part of a large set of new features and enhancements in SQL Server 2019. The most significant enhancement is that that it now allows you to directly import SSL/TLS certificates into SQL Server, thus simplifying the entire process a lot.

与早期版本SQL Server相比，SQL Server 2019中的证书管理已得到了很大增强，并且它是SQL Server 2019中大量新功能和增强功能的一部分。最重要的增强在于，它现在允许您直接将SSL / TLS证书导入SQL Server，从而大大简化了整个过程。

Before going into detail and see how we can use the enhanced certificate management in SQL Server 2019, first let’s talk a bit about SSL/TLS certificates, as well as discuss about how we can import SSL/TLS certificates in previous versions of SQL Server and thus encrypt connections to SQL Server.

在详细介绍并了解如何在SQL Server 2019中使用增强的证书管理之前，首先让我们先谈一下SSL / TLS证书，以及讨论如何在SQL Server的早期版本和Windows Server 2003中导入SSL / TLS证书。从而加密与SQL Server的连接。

SSL/TLS certificates can be used by SQL Server in order to encrypt all communication between a SQL Server instance and its client connections, by encrypting the communication channel. You can either “force encryption” for all connections, or leave it up to each client (i.e. application) to decide if encryption should be used.

SQL Server可以使用SSL / TLS证书，以便通过加密通信通道来加密SQL Server实例与其客户端连接之间的所有通信。 您可以为所有连接“强制加密”，也可以由每个客户端（即应用程序）决定是否应使用加密。

On the below screenshot, you can see the “Force Encryption” option:

在下面的屏幕截图中，您可以看到“强制加密”选项：

Personally, I would recommend that by the time you are setting up SSL/TLS encryption for your SQL Server instance, to set “Force Encryption” to “Yes” in order for SQL Server not to accept unencrypted connections. This of course assumes that prior to applying the certificate and setting this flag to “Yes”, you have extensively tested all applications/clients that connect to your SQL Server instance and verified that they can connect using the encrypted channel without any issues.

就个人而言，我建议您在为SQL Server实例设置SSL / TLS加密时，将“强制加密”设置为“是”，以使SQL Server不接受未加密的连接。 当然，这假定在应用证书并将此标志设置为“是”之前，您已经对连接到SQL Server实例的所有应用程序/客户端进行了广泛的测试，并验证了它们可以使用加密通道进行连接而没有任何问题。

证书管理直至SQL Server 2017 (Certificate Management up to SQL Server 2017)

When deploying SQL Server, there are 3 deployment options. Therefore, you can either:

部署SQL Server时，有3个部署选项。 因此，您可以：

• Set up a standalone SQL Server machine 设置独立SQL Server计算机
• Set up a SQL Server Failover Cluster Instance (FCI) 设置SQL Server故障转移群集实例（FCI）
• Set up a SQL Server Always On Availability Groups deployment over at least two machines 在至少两台计算机上设置SQL Server Always On可用性组部署

Up to SQL Server 2017, in order for an SSL/TLS certificate to be “visible” to SQL Server, the general idea was to import it into Windows\Local computers (Console Root\Certificates (Local Computer)\Personal\Certificates) and perform some additional steps.

在SQL Server 2017之前，为了使SSL / TLS证书对SQL Server可见，通常的想法是将其导入Windows \本地计算机（控制台根目录\证书（本地计算机）\个人\证书）和执行一些其他步骤。

Below, you can learn more about the procedure that was followed up to SQL Server 2017.

在下面，您可以了解有关SQL Server 2017后续步骤的更多信息。

独立SQL Server 2017计算机中的证书管理 (Certificate Management in Standalone SQL Server 2017 Machines)

In the case of standalone SQL Server machines, the procedure was:

对于独立SQL Server计算机，该过程为：

1. Import the certificate in Windows for Local Computer 在Windows中为本地计算机导入证书
2. Set Full-Control Permissions on the Certificate for the SQL Server service account 在证书上为SQL Server服务帐户设置完全控制权限
3. Select the certificate from within SQL Server Configuration Manager and set the “Force Encryption” flag 从SQL Server配置管理器中选择证书，然后设置“强制加密”标志
4. Restart SQL Server 重新启动SQL Server

SQL Server 2017故障转移群集实例中的证书管理 (Certificate Management in SQL Server 2017 Failover Cluster Instances)

In the case of SQL Server Failover Cluster instances, the procedure was a little bit complex and involved additional steps. Therefore, this is what you needed to do in all participating Failover Cluster nodes in order to enable the SSL/TLS certificate:

对于SQL Server故障转移群集实例，该过程有点复杂，并且涉及其他步骤。 因此，这是在所有参与的故障转移群集节点中需要执行的操作，以启用SSL / TLS证书：

1. Import the certificate in Windows for Local Computer 在Windows中为本地计算机导入证书
2. Set Full-Control Permissions on the Certificate for the SQL Server service account 在证书上为SQL Server服务帐户设置完全控制权限
3. Get the Certificate’s “Clean” Thumbprint by removing the first character in case it is a question mark (?) and also remove all empty spaces (save the original value in test file and then re-open to find these characters) 通过删除第一个字符（如果是问号（？））并除去所有空白（将原始值保存在测试文件中，然后重新打开以查找这些字符）来获取证书的“干净”指纹。
4. Edit Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\[*Instance ID]\MSQLServer\SuperSocketNetLib) and in the “Certificate” key, add the “clean” Thumbprint value acquired in the previous step 编辑Windows注册表（HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ [*实例ID] \ MSQLServer \ SuperSocketNetLib），然后在“证书”项中，添加在上一步中获得的“干净”指纹值
5. Select the certificate from within SQL Server Configuration Manager and set the “Force Encryption” flag 从SQL Server配置管理器中选择证书，然后设置“强制加密”标志
6. Restart SQL Server 重新启动SQL Server

SQL Server 2017中始终启用可用性组的实例中的证书管理 (Certificate Management in SQL Server 2017 Always On Availability Groups-enabled Instances)

In the case of SQL Server Always On Availability Groups-enabled Instances, the procedure was very similar to the one for the standalone servers, with the only difference that you would perform the procedure for all servers/replicas participating to the Availability Group(s):

对于启用了SQL Server始终在可用性组上的实例，此过程与独立服务器的过程非常相似，唯一的不同是您将对参与可用性组的所有服务器/副本执行该过程。 ：

1. Import the certificate in Windows for Local Computer 在Windows中为本地计算机导入证书
2. Set Full-Control Permissions on the Certificate for the SQL Server service account 在证书上为SQL Server服务帐户设置完全控制权限
3. Select the certificate from within SQL Server Configuration Manager and set the “Force Encryption” flag 从SQL Server配置管理器中选择证书，然后设置“强制加密”标志
4. Restart SQL Server 重新启动SQL Server

SQL Server 2019中的增强的证书管理 (Enhanced Certificate Management in SQL Server 2019)

In SQL Server 2019 the whole process of enabling secure communication to the SQL Server Database Engine with the use of SSL/TLS certificates has been significantly enhanced but also simplified. More specifically, certificate management has been integrated in SQL Server 2019 Configuration Manager.

在SQL Server 2019中，使用SSL / TLS证书启用与SQL Server数据库引擎的安全通信的整个过程已得到显着增强，但也得到了简化。 更具体地说，证书管理已集成在SQL Server 2019 Configuration Manager中。

To this end, now SQL Server 2019 Configuration Manager allows you to easily perform the below tasks:

为此，现在SQL Server 2019 Configuration Manager允许您轻松执行以下任务：

• Directly import an SSL/TLS certificate in SQL Server 在SQL Server中直接导入SSL / TLS证书
• View and validate certificates installed in a SQL Server instance 查看和验证安装在SQL Server实例中的证书
• Identify which certificates may be close to expiring 确定哪些证书可能即将到期
• Deploy certificates across Availability Group machines from the node holding the primary replica 从拥有主副本的节点跨可用性组计算机部署证书
• Deploy certificates across machines participating in a Failover Cluster instance from the active node 在从活动节点参与故障转移群集实例的计算机之间部署证书

With the below two screenshots, we can compare Configuration Manager in SQL Server 2017 vs 2019:

通过以下两个屏幕截图，我们可以比较SQL Server 2017和2019中的Configuration Manager：

On the left, is the SQL Server protocol properties dialog using SQL Server 2017 Configuration Manager. On the right, is the SQL Server protocol properties dialog using SQL Server 2019 Configuration Manager.

左侧是使用SQL Server 2017 Configuration ManagerSQL Server协议属性对话框。 右边是使用SQL Server 2019 Configuration ManagerSQL Server协议属性对话框。

As you can see, the main difference between the two dialogs is that the SQL Server 2019 Configuration Manager now has an “Import” button in the “Certificates” tab. The functionality behind this button is what actually offers an enhanced Certificate Management in SQL Server 2019.

如您所见，两个对话框之间的主要区别在于SQL Server 2019 Configuration Manager现在在``证书''选项卡中具有一个``导入''按钮。 该按钮背后的功能实际上是在SQL Server 2019中提供增强的证书管理的功能。

使用SQL Server 2019 Configuration Manager导入SSL / TLS证书 (Importing an SSL/TLS Certificate Using SQL Server 2019 Configuration Manager)

In the below example, we will see how it is possible to import an SSL/TLS certificate on a standalone SQL Server machine, using the enhanced Certificate Management in SQL Server 2019.

在下面的示例中，我们将看到如何使用SQL Server 2019中增强的证书管理在独立SQL Server计算机上导入SSL / TLS证书。

The first step, is to launch SQL Server 2019 Configuration Manager, right-click on our SQL Server instance, in this example “SQL2K19”, and select “Properties”.

第一步是启动SQL Server 2019 Configuration Manager，右键单击我们SQL Server实例（在此示例中为``SQL2K19''），然后选择``属性''。

Next, we are presented with the “Protocols for <instance name> Properties” dialog. In order to proceed with importing the certificate, we need to click on the “Import” button in the “Certificates” tab. After clicking on the “Import” button, we are presented with the certificate selection dialog:

接下来，我们看到“ <实例名称>属性的协议”对话框。 为了继续导入证书，我们需要单击“ 证书 ”选项卡中的“ 导入 ”按钮。 单击“导入”按钮后，我们将看到证书选择对话框：

On the certificate selection dialog, we are presented with two options. We can either import a PFX certificate or a PEM certificate. In this example, we are importing a password-protected PFX certificate.

在证书选择对话框中，我们有两个选项。 我们可以导入PFX证书或PEM证书。 在此示例中，我们将导入受密码保护的PFX证书。

After entering the password for the certificate, we are presented with a summary of our options for the specific certificate and if all is good, we click on the “Next” button.

输入证书的密码后，我们会看到针对特定证书的选项摘要，如果一切正常，请单击“下一步”按钮。

At this point we are also reminded by the certificate import wizard, that we will need to restart the SQL Server instance in order for changes to take effect.

此时，证书导入向导还提醒我们，我们将需要重新启动SQL Server实例才能使更改生效。

Last, we are presented with a summary of the certificate import process in terms of actions performed.

最后，我们根据执行的操作向您介绍了证书导入过程的摘要。

After we stop and start again our SQL Server instance, in Configuration Manager, we can right-click on our SQL Server instance name, in this example “SQL2K19”, select “Properties” and in the “Certificate” tab, we can see that our certificate has been successfully imported.

停止并重新启动我们SQL Server实例后，在Configuration Manager中，我们可以右键单击我们SQL Server实例名称，在此示例中为“ SQL2K19”，选择“属性”，然后在“证书”选项卡中，我们可以看到我们的证书已成功导入。

Moreover, if click on the “View” button, we can see all the details for the specific certificate, such as: Subject Alternative Name (SAN), Friendly Name, Thumbprint, and more.

此外，如果单击“查看”按钮，我们可以查看特定证书的所有详细信息，例如：使用者备用名称（SAN），友好名称，指纹等。

OK, now that we see that our certificate has been successfully imported, it is time to decide whether all connections to our SQL Server instance will be forced to be encrypted or not. In this example, I want all connections to be encrypted, therefore, I’m setting the “Force Encryption” flag to “Yes”. However, since I changed the value of this flag from “No” to “Yes”, once more, I need to restart the SQL Server instance, in order for changes to take effect.

好的，现在我们已经看到证书已成功导入，现在是时候确定是否强制对与SQL Server实例的所有连接进行加密了。 在此示例中，我希望所有连接都被加密，因此，我将“ Force Encryption”标志设置为“ Yes”。 但是，由于我再次将此标志的值从“否”更改为“是”，因此我需要重新启动SQL Server实例，以使更改生效。

The last step, is to confirm that the SSL/TLS certificate imported in our SQL Server instance, using the new Certificate Management in SQL Server 2019, is successfully loaded when our SQL Server instance starts.

最后一步是，当SQL Server实例启动时，使用SQL Server 2019中的新证书管理确认已成功加载在SQL Server实例中导入的SSL / TLS证书。

You can easily find this information by checking out SQL Server’s log right after the instance’s restart. In the below log, you can see that the certificate was successfully loaded for encryption:

通过在实例重新启动后立即签出SQL Server的日志，可以轻松找到此信息。 在下面的日志中，您可以看到证书已成功加载以进行加密：

SQL Server故障转移群集实例中的证书管理 (Certificate Management in SQL Server Failover Cluster Instances)

The above example, described how you can import an SSL/TLS certificate in a SQL Server instance, using the SQL Server 2019 Configuration Manager.

上面的示例描述了如何使用SQL Server 2019 Configuration Manager在SQL Server实例中导入SSL / TLS证书。

In order to import the certificate on a SQL Server Failover Cluster instance, the procedure is quite similar to the above, with the only difference that you are presented with the list of nodes, and you can choose whether you are importing the certificate just for the current node, or for each individual cluster node.

为了在SQL Server故障转移群集实例上导入证书，该过程与上面的过程非常相似，唯一的不同是向您显示了节点列表，并且您可以选择是否仅为证书导入。当前节点或每个单独的群集节点。

Moreover, note that the above steps must be taken on the active cluster node. Also, users must have administrative access on all nodes.

此外，请注意，必须在活动群集节点上执行上述步骤。 此外，用户必须在所有节点上都具有管理访问权限。

SQL Server始终启用可用性组的实例中的证书管理 (Certificate Management in SQL Server Always On Availability Groups-enabled Instances)

Regarding the scenario where you are importing an SSL/TLS certificate of a SQL Server Always On Availability Group-enabled instance, again the process is quite similar like the one for the standalone SQL Server machine, with the only difference that after choosing the certificate type to import, you are presented with the list of known Availability Groups for the SQL Server instance, and you can choose certificates for each replica node.

关于要导入启用了SQL Server Always On可用性组的实例的SSL / TLS证书的方案，该过程再次与用于独立SQL Server计算机的过程非常相似，唯一的区别是选择了证书类型之后要进行导入，将显示SQL Server实例的已知可用性组列表，并且可以为每个副本节点选择证书。

For this scenario, note that certificates should have a file name that matches the NetBIOS name of the nodes.

对于这种情况，请注意证书的文件名应与节点的NetBIOS名称匹配。

Moreover, note that the above steps must be taken on the node that holds the Availability Group primary replica. Also, users must have administrative access on all nodes.

此外，请注意，必须在保存可用性组主副本的节点上执行上述步骤。 此外，用户必须在所有节点上都具有管理访问权限。

结论 (Conclusion)

Certificate Management in SQL Server 2019 is significantly enhanced when compared to previous versions of SQL Server.

与早期版本SQL Server相比，SQL Server 2019中的证书管理得到了显着增强。

With SQL Server 2019 Configuration Manager, you can now import SSL/TLS certificates directly into SQL Server, even for lower versions of SQL Server, starting with SQL Server 2008, without having to work with registry settings (like in the case of failover clusters) and any other actions that might seem complex for many users.

使用SQL Server 2019 Configuration Manager，您现在可以从SQL Server 2008开始将SSL / TLS证书直接导入SQL Server，甚至对于较低版本SQL Server，也可以从SQL Server 2008开始，而无需使用注册表设置（例如在故障转移群集的情况下）以及对许多用户而言似乎很复杂的任何其他操作。

SQL Server 2019 is full of exciting new features and enhancements, and certificate management is one of those enhancements. I have an online course on Udemy titled “SQL Server 2019: What’s New” you might want to check, in order not only to learn more about SQL Server 2019, but also see live demonstrations for many of those interesting new features and enhancements.

SQL Server 2019充满了令人兴奋的新功能和增强功能，并且证书管理是这些增强功能之一。 您可能需要检查一下有关Udemy的在线课程，标题为“ SQL Server 2019：新增功能 ”，以便不仅了解有关SQL Server 2019的更多信息，还可以观看许多有趣的新功能和增强功能的现场演示。

翻译自: https://www.sqlshack.com/certificate-management-in-sql-server-2019/