October 9, 2018 at 7:31 am
Hello, I am getting flagged in a vulnerability scan that this certificate doesn't have strong enough encryption. We do not have our SQL Server set to force encryption, so I'm trying to figure out if I can delete this certificate? I can't even really figure out where it is located... I have the SQL configuration manager set to our properly generated certificates but I'm not sure if that remedies the problem or not.
October 9, 2018 at 8:15 am
Ok, I've read more and while I still don't know how to fix this... I know I can't delete it. 🙂
The problem is the hashing algorithm that it is using is "deprecated". I see SQL 2017 has upgraded the algorithm but is there no way to make it use a different encryption method? I don't want to force SSL connections, so I'm not sure why it is still using the fallback certificate?
January 26, 2022 at 9:09 pm
A little old, but dealing with the same thing. The encryption is used for the basic login part - encrypting the connection between the client just for the login. The only way I've found so far to replace it is to get an actual trusted cert and replacing it on the server. That gets trickier with clusters because that cert needs to be the same on all nodes of the cluster that can host that SQL instance, but once set you should stop seeing that issue. The "dbatools" PowerShell module has some methods to help set the cert. You have to make sure that you update the cert before it expires or your SQL Server may not start without replacing/removing the cert.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply