I have configured an SQL 2022 Std instance with a certificate issued via an Internal CA.
As per the above documentation, I was expecting that the certificate would need to be
added to the trusted root certificate store on all client computers and devices
However after both CA & SQL certificates are imported to Trusted Root Certification Authorities successfully on the client, and testing with client connections set to encrypt I receive the error:
The certificate chain was issued by an authority that is not trusted
I'm aware that I can set trustservercertificate to true on the connections and have confirmed as documented in SQL Server Verify Network Encryption the connections are encrypted when this setting is true.
Does the error indicate a misconfiguration?
Below shows the SQL Server binding.
And an extract from sqlcheck as per the MS documentation: Certificate Requirements for SQL Server
I also note from that article:
Starting with SQL Server 2019 (15.x), SQL Server Configuration Manager automatically validates all certificate requirements during the configuration phase itself. If SQL Server successfully starts after you configure a certificate, it's a good indication that SQL Server can use that certificate
Server starts fine and shows connections are encrypted when the client is forced to trust the server certificate.
FYI I'm testing with SSMS v19 as the client.
The documentation here SQL Server - Client Encryption Summary seems a little ambiguous as both internal ca scenarios (highlighted) refer to a company's certificate server, but only 1 imports the cert on the client and the other (which appears to be me) must set trustservercertificate?
Any advice appreciated.
The error has disappeared and I am now able to establish encrypted connections from the client without specifying trustservercertificate=true
I have not changed any configuration settings to resolve this however the VM hosting the sql server instance had been shut down and restarted.
I had previously restarted the SQL Server Service multiple times after configuring the certificate.