The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it.
Question
Thursday, April 9, 2020 4:49 PM
Hello.
I am trying to restore a Db in SQL server 16. It is a developer version installed on windows 10 laptop. We have a backup file from a SaaS instance. We have moved to a new instance of the SaaS and this is our archive from the first instance. This is strictly for archiving purposes. That said, the only was to read this of course is with SQL Server.
Script:
use master ;
-- drop master key encryption by password ='somepassword';
-- create master key encryption by password ='somepassword';
create certificate BULLHORN14852_45764 from file = 'C:\Program Files\Microsoft SQL Server\MSSQL13.LEVVEL\MSSQLBULLHORN14852_45764.cer'
with private key (file='C:\Program Files\Microsoft SQL Server\MSSQL13.LEVVEL\MSSQLBULLHORN14852_45764.pvk',
decryption by password = 'somepassword')
I was able to create the master key encryption no problem. When I run the create certificate command I get the famous
"The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it."
I am connected as the local administrator on windows. I have also granted permissions on the folders and the files.
NETWORK SERVICE account does have permission to the folder and the cert, pvk files.
I've been reading that these permissions above are not enough. I haven't administered a SQL DB in 15 years so I need some guidance. Any help would be greatly appreciated!
Rob.
All replies (5)
Friday, April 10, 2020 5:31 AM
Hi Rob,
What the SQL Server Service account are you using?
Could you please make sure the SQL Server Service account have permissions to read the cert backup files in “C:\Program Files\Microsoft SQL Server\MSSQL13.LEVVEL\ and try to add the SQL Server Service account to the administrator group?
Please refer to this similar thread which might help.
Best Regards,
Amelia
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Friday, April 10, 2020 4:16 PM
Hi Amelia.
I guess my underlying question is what is The SQL Server Account I am using? When I look at the services and what the Logon as is I see the following.
SQL Server (LEVVEL) - logon as NT Service\MSSQL$LEVVEL
SQL Server (MSSQLSERVER) - logon as NT Service\MSSQLSERVER
SQL Server Agent (LEVVEL) - logon as NT Service\SQLAgent$LEVVEL
SQL Server Agent (MSSQLSERVER) - logon as NT Service\SQLSERVERAGENT
The granted permissions on the folder (and files ) are: NETWORK SERVICE and MSSQL$LEVEL. I can't find any user names starting with SQL or MSS or NT in order to add other users to the permissions.
I am not sure what I am missing.
Monday, April 13, 2020 7:22 AM
Hi Rob,
Could you please try to change the SQL Server service account to Local system account or domain account (Domain\User) which has the full control permission on some folders and registry key?
Best Regards,
Amelia
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Monday, April 13, 2020 4:20 PM
Hi Amelia.
I did change the SQL Server agent (MSSQLSERVER) to run as the local system account. I still get the error
The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it.
Is this maybe not a security issue? Could I have a bad cert or private key file?
Thanks.
Rob.
Tuesday, April 14, 2020 5:41 AM
Hi Rob,
>>Is this maybe not a security issue? Could I have a bad cert or private key file?
It might be possible. Could you please try to backup certificate and private key again?
Please make sure SQL Server service account of new instance has full permissions on certificate and private key.
Best Regards,
Amelia
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.