How to get SQL Server to check revocation status of used certificate?

Question

Hi all,

we have an issue with SQL Server and the setup of encrypted communication.

We set up the SQL server to use encrypted communication according to the documentation: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15

But now we have an issue when the used certificate is revoked.

The SQL Server Engine is still able to start and the connections are still possible.

It seems that the SQL Server is not checking if the certificate is revoked or not.

Is there any possible way to enable the checking of the revocation status for the SQL Server?

When we check the certificate using the command line tool "certutil" it clearly states that the certificate has been revoked but the SQL Server Engine doesn't care about it.

Answer 1

Hi @Thomas Griepentrog ,

Did you enable certificate revocation checking as below screenshot.

Open Internet Explorer and go to Internet Options. Check the "Check for server certificate revocation" option and reboot your computer.

Or change it at the Group Policy level.

1. Click Start. Click Run...
2. Type gpedit.msc and click OK.
3. Navigate to Computer Configuration / Administrative Templates / Windows Components / Internet Explorer / Internet Control Panel / Advanced Page.
4. Double-click Check for server certificate revocation.
5. Select Enabled and click OK.
6. Reboot the server.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 2

Hi @CathyJi-MSFT ,

I tested your provided solution and it worked.

Now I have to check how it's working when the certificate is beeing revoked without restarting the MS SQL Engine or rebooting the server.

I will come back after I checked it tomorrow.

Thomas