3/24/2014 9:29:30 AM
As of 8.5000 SSL is now supported with Always On connections. I tested this and it works as expected. Not like everything is already encrypted a few times already... but... if you want it.. it works
You have to generate a certificate with the Listener FQDN as the Subject, and subject alternative names including each server FQDN in the group as well as the listener FQDN. http://technet.microsoft.com/en-us/library/hh213417.aspx#SSLcertificates
If you use a Microsoft CA, see here for sample request file and certreq syntax -> http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx
Once you have your cert, it needs to be in the local machine store of each SQL server. Open SQL Server Configuration Manager and then the properties for Protocols for MSSQLSERVER under the Network Configuration area. Under general, set Force Encryption to Yes (if desired).
Get the certificate thumbprint, without spaces.. easiest thing to do is certutil -store My >sqlcert.txt and remove all of the spaces from the CertHash line. Paste this thumbprint into this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQLServer\SuperSocketNetLib\Certificate
Restart SQL services. You will never see the certificate from the Configuration Manager GUI, that's expected. When you start SQL, if the certificate is loaded properly, you'll see Event 26013 with this text: The certificate [Cert Hash(sha1) "abc123"] was successfully loaded for encryption.
Run the Secret Server installer and tick the box for SSL under database connection.