Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: 
SQL Server 2025 (17.x) on Linux
This article describes how PolyBase External Execution Service (EES) communication is encrypted on SQL Server for Linux in SQL Server 2025 (17.x) Cumulative Update (CU) 6 and later versions.
Overview
PolyBase on Linux uses the External Execution Service (EES), which runs locally on the SQL Server host, to run the ODBC drivers required for external connectivity. Starting in SQL Server 2025 (17.x) CU6, communication between SQL Server services and EES is encrypted by default.
What's new in CU6
Traffic between SQL Server services and EES is encrypted by using a certificate.
EES uses a self-signed certificate that is generated automatically each time EES restarts.
The generated certificate is valid for 365 days.
Certificate details
| Item | Value |
|---|---|
| Certificate path | /var/opt/mssql/polybase-ees |
| Certificate file name | ca.crt |
| Certificate SAN | subjectAltName=IP:127.0.0.1,DNS:localhost |
Bring your own certificate
To use your own certificate for EES, place your certificate file at the same location and with the same name that EES expects.
Copy your certificate to
/var/opt/mssql/polybase-ees/ca.crt.Restart the EES service to pick up the certificate.
Validate that PolyBase external access works as expected.
Restart and rollback
To roll back to the default self-signed certificate (or to force regeneration), restart EES.
To restart EES on Linux, run the following command:
sudo systemctl restart mssql-ees.service
Remarks
You might need to restart EES if it hasn't been restarted in the past year so that a fresh certificate can be generated.
Fallback behavior
If the certificate file is missing or invalid, PolyBase falls back to unencrypted communication between SQL Server services and EES.