SQL Server Failover Clustering cetificate

AnnWild54 1 Reputation point
2021-03-23T22:08:23.46+00:00

I have a 3 node cluster (active-passive) with a separate instance on each one with an assigned certificate assigned to each instance on that node. Here's my scenario: Inst1 is on node1 and if I have a failover on Inst1 to node 3 the certificate will not auto-update in the dropdown properties certificate box. I have to manually select the certificate when the inst1 failed over to node3. The certificate is not following the node if an failover occurs. Is this normal with SQL failover clustering or is there a way to auto-update the certificate where the instance fails over to another node. Any resource would help to explain this and possible solution would help. Thank you. Environment: SQL Server 2012

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,638 questions
Windows Server Clustering
Windows Server Clustering
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Clustering: The grouping of multiple servers in a way that allows them to appear to be a single unit to client computers on a network. Clustering is a means of increasing network capacity, providing live backup in case one of the servers fails, and improving data security.
956 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmeliaGu-MSFT 13,961 Reputation points Microsoft Vendor
    2021-03-25T08:40:39.783+00:00

    Hi AnnWild54-1008,

    Welcome to Q&A.
    Have you copied the thumbprint value of the certificate to a Notepad window to the key HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib\Certificate on all the nodes?
    The key contains a property of the certificate known as thumbprint that identifies each certificate in the server. In a clustered environment, this key will be set to Null even though the correct certificate exists in the store. To resolve this issue, you must take these additional steps on each of your cluster nodes after you installed the certificate to each node):

    1. Navigate to the certificate store where the FQDN certificate is stored. On the properties page for the certificate, go to the Details tab and copy the thumbprint value of the certificate to a Notepad window.
    2. Remove the spaces between the hex characters in the thumbprint value in Notepad.
    3. Start regedit, navigate to the following registry key, and copy the value from step 2:
      HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib\Certificate
    4. If the SQL virtual server is currently on this node, failover to another node in your cluster, and then reboot the node where the registry change occurred.
    5. Repeat this procedure on all the nodes.

    Please refer to this article for more details.
    Best Regards,
    Amelia

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

    0 comments