How to get SQL Server to check revocation status of used certificate?

Thomas Griepentrog 1 Reputation point
2021-12-02T16:31:50.833+00:00

Hi all,

we have an issue with SQL Server and the setup of encrypted communication.

We set up the SQL server to use encrypted communication according to the documentation: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15

But now we have an issue when the used certificate is revoked.

The SQL Server Engine is still able to start and the connections are still possible.

It seems that the SQL Server is not checking if the certificate is revoked or not.

Is there any possible way to enable the checking of the revocation status for the SQL Server?

When we check the certificate using the command line tool "certutil" it clearly states that the certificate has been revoked but the SQL Server Engine doesn't care about it.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,320 questions
{count} votes

2 answers

Sort by: Most helpful
  1. CathyJi-MSFT 21,116 Reputation points Microsoft Vendor
    2021-12-03T01:59:03.813+00:00

    Hi @Thomas Griepentrog ,

    Did you enable certificate revocation checking as below screenshot.

    Open Internet Explorer and go to Internet Options. Check the "Check for server certificate revocation" option and reboot your computer.
    154662-screenshot-2021-12-03-095537.jpg

    Or change it at the Group Policy level.

    1. Click Start. Click Run...
    2. Type gpedit.msc and click OK.
    3. Navigate to Computer Configuration / Administrative Templates / Windows Components / Internet Explorer / Internet Control Panel / Advanced Page.
    4. Double-click Check for server certificate revocation.
    5. Select Enabled and click OK.
    6. Reboot the server.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.
    0 comments No comments

  2. Thomas Griepentrog 1 Reputation point
    2021-12-06T16:39:36.837+00:00

    Hi @CathyJi-MSFT ,

    I tested your provided solution and it worked.

    Now I have to check how it's working when the certificate is beeing revoked without restarting the MS SQL Engine or rebooting the server.

    I will come back after I checked it tomorrow.

    Thomas