Share via

Error creating TDE certificate from external fileMsg 15208, Level 16, State 10, Line 24

Willam McQuinn 0 Reputation points
2023-08-21T14:24:49.4466667+00:00

I have been trying for weeks to use an external certificate file to create a certificate for TDE encryption on a SQL Server 2019 instance. As this is for a government client, the certificate has to be issues by a trusted government authority. I cannot use makecert, and I cannot have SQL create a self-signed certificate. I also cannot install and use theMicrosoft PVKConverter software, as it is not certified for use on our equipment.

I am getting the following error:

Msg 15208, Level 16, State 10, Line 24

The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it.

Yes, the service accounts have access to the folder and the files. All the files are there in correct paths with the names spelled correctly. I've also tried the following:

  1. Created the pvk from the pfx file using openssl:

pkcs12 -in {certificate-pfx-format} -nocerts -nodes -out {private-key-file-name}

  1. Tried the private key with and without the password used to export the pfx file from MMC (have never explicitly encrypted the pvk file)
  2. Tried the pvk file in its original format, with all the text prior to the BEGIN statement removed, edited with Wordpad and/or Notepad (because I've read that either can insert erroneous characters), and in RSA format (openssl rsa -in [private-key-file-name] -out [RSA_ private-key-file-name])
  3. Encoding the cert in der format (openssl x509 -inform pem -in {certificatename_cer} -outform der -out {certificatename_der})
  4. I sent the pfx file to someone with access to a Linux system in order to create the der and pvk file directly.

I have not tried to independently install either the cer or der encoded certificate with MMC, as I was of the understanding that the CREATE CERTIFICATE command would do that (also, that step has not been mentioned in any of the sites I have visited).

What other avenues are there for me to pursue, or is there anything I am missing from what I’ve described?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,494 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erland Sommarskog 120.2K Reputation points MVP
    2023-08-22T21:00:20.2433333+00:00

    I also cannot install and use theMicrosoft PVKConverter software, as it is not certified for use on our equipment.

    But you can do this?

    I sent the pfx file to someone with access to a Linux system in order to create the der and pvk file directly.

    If so, you could at least try the PVKConverter on a private machine to see if it works.

    Unfortunately, I am not very good at key formats myself. And I never had reason to work with a certificate from a vendor. Where I sit (that is, at home), I get away with self-signed certificates.

    But given the time you've spent on this, wouldn't it be more efficient to open a support case?

    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.