How does server certificate validation take place with sqlcmd utility?

Chiranga Alwis 21 Reputation points
2020-12-22T05:43:24.11+00:00

During the process of evaluating Azure SQL Database service for hosting databases, it was identified that encryption of Azure SQL Database service client-server communication is enabled, by default.

Furthermore, as per the aforementioned sqlcmd utility documentation confirms that the server certificate is not trusted by the client, by default (with -C argument being required for trusting the server certificate).

But, it was noticed that there is no option to provide the CA certificate which will be required to validate the incoming Azure SQL Server certificate (as per the concepts highlighted here) has been provided by the sqlcmd utility.

  • How does the sqlcmd utility identify the CA certificate against which the incoming Azure SQL Server certificate needs to be validated?
  • From which location in a client machine does it identify the certificate to be used?

Please find the original issue at GitHub.

Azure SQL Database
Accepted answer
  1. David Browne - msft 3,766 Reputation points
    2020-12-23T00:49:45.51+00:00

    This was documented indirectly in the procedures for responding to a certificate revocation:

    If your client driver utilizes OS certificate store, as majority of drivers do, and your OS is regularly maintained this change will likely not affect you, as the root certificate we are switching to should be already available in your Trusted Root Certificate Store. Check for Baltimore CyberDigiCert GlobalRoot G2 and validate it is present.

    If your client driver utilizes local file certificate store, to avoid your application’s availability being interrupted due to certificates being unexpectedly revoked, or to update a certificate, which has been revoked, refer to the What do I need to do to maintain connectivity section.

    https://learn.microsoft.com/en-us/azure/azure-sql/updates/ssl-root-certificate-expiring

    The [sqlcmd] utility uses ODBC to execute Transact-SQL batches.

    https://learn.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15

    ODBC on Linux uses OpenSSL https://learn.microsoft.com/en-us/sql/connect/odbc/linux-mac/programming-guidelines?view=sql-server-ver15#bkmk-openssl

    And on Windows it uses the Windows Certificate Store.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest