Share via

Multiple SSL certs on one server for encryption of SQL data in motion

Cooper, David A. [ISS] (Contractor) 111 Reputation points
2024-08-15T14:25:57.6166667+00:00

I have a 3-node Always On cluster with 10 instances on each cluster node. Each instance has two AGs, each of those with it's listener, thus 20 listeners. I installed on each cluster node an SSL cert provided by my organization -- I think Microsoft CA. Each cert has the FQDN common name which matches the hostname of the node that it is installed on. Each cert also has 20 subject alternate names to cover each of 20 listeners. Now I added two new SQL instances on each node. Can I install a new SSL cert which has the same common name as the already existing cert, but includes only the new listener names (as SANs) found on the new SQL instances? I.e., have end up with two certs which have the same common name but different SANs? Or do I need to provision a new cert to replace the existing? In that case, the new cert would include the all the SANs (20 existing plus the new SANs).

SQL Server Other
Accepted answer
  1. Anonymous
    2024-08-16T06:40:54.9366667+00:00

    Hi @Cooper, David A. [ISS] (Contractor),

    Thanks for your reaching out and welcome to Microsoft Q&A!

    Can I install a new SSL cert which has the same common name as the already existing cert, but includes only the new listener names (as SANs) found on the new SQL instances?

    For an AG you need to Force Protocol Encryption on each instance participating in the AG. An AG clients can connect to the AG Listener, and they can connect to the instances directly. So, you have to configure the certificates accordingly.

    You could enable SSL on each replica as per normal, but the certificate you provision should have a CN that matches the Listener name that you're connecting to.

    Please refer to the two official documents, hope this can help you well.

    https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-2017#certificate-requirements

    https://learn.microsoft.com/en-us/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover?view=sql-server-ver16#SSLcertificates

    Feel free to share your issues here if you have any concerns. Please let me know in time if I have any mistakes in understanding! Thanks for your understanding. Your time and cooperation are much valued by us. We are looking forward to hearing from you to assist further.

    Best regards,

    Lucy Chen

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our Documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    https://docs.microsoft.com/en-us/answers/support/email-notifications

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.