Showing posts with label certificates. Show all posts
Showing posts with label certificates. Show all posts

Saturday, February 25, 2012

Certificates versus Keys

Hi,

A few questions:

Are there best practices regarding when a Certificate is appropriate for encrypting data versus using a asymmetric key?

Also, when you create an asymmetric key - aren't you really creating both the public/private key pair?

Lastly, what can a Certificate do that an asymmetric key cannot?

Thanks much,

JoeYes, when you create the asymmetric key, you create a key pair. The same thing happens for certificates if you use the "WITH SUBJECT" clause instead of creating the certificate from a file.

In terms of encryption and signing, what you can do with one, you can also do with the other. The main differences are in how you create them (certificates can be imported from X.509 files, asymmetric keys from assemblies) and the fact that certificates can be backed up to files, while asymmetric keys cannot.

This last point is very important because it means that if an asymmetric key is created internaly, not loaded from a file, then it is not easy (it is possible but not practical) to create the same asymmetric key in another database. So if you do code signing and you want the signature to grant server-level permissions, it will be more convenient to use certificates.

Thanks
Laurentiu|||

That answers my questions Laurentiu. As always, thanks again for your help.

Best Regards,

Joe

Posted by Wallace at 10:02 PM 0 comments
Labels: , , , , , , , , , , , , , , , ,

Certificates expiration Date

Hi There

This may seem like a stupid question but i am trying to get the hang of the new security model.

I have not really heard anything mentioned about certficate expiration date when it comes to creating certificates for keys or service broker endpoints etc.

We have created certificates for keys and service broker endpoints, now what exactly happens when the expiration date, by default 1 year i think is reached, will we no longer be able to decrypt encrypted data and will the service broker endpoints stop working etc ?

Or is this expiration date when the certificate can no longer be used to create security objects ? And all security objects already created with this certificate will always work ?

In other words is there ever danger that keys and endpoints or basically any object referrencing this certificate will just suddenly stop working one day, or will all objects work indefinately regardless of an certificate/objects expiration date ?

Thanx

The certificate expiration date is not enforced by SQL Server directly. These certificates can still be used for data encrypting, decrypting, signing, verifying signatures or object creation/usage in SQL Server.

Service Broker will honor the expiration date and after a certificate has expired it cannot be used (See “Certificates for Dialog Security” http://msdn2.microsoft.com/en-us/library/ms166117.aspx ).For more information on Service broker usage of certificates I would recommend to visit Service Broker Conversations webpage at http://blogs.msdn.com/remusrusanu/.

While SQL Server itself will not prevent you from using an expired certificate, it is up to the application developers to enforce or suggest the expiration, and use the available usage of expired certificates as a disaster recovery tool rather than as a rule. I strongly recommend generating new certificates to substitute expired ones.

Thanks,

-Raul Garcia

SDE/T

SQL Server Engine

Posted by Wallace at 10:01 PM 0 comments
Labels: , , , , , , , , , , , , , , ,

Certificate creation problem

Hello to all

I have two SQL 2005 server and I want to start mirroring a database.
Since there's no windows domain I'm trying to use certificates to grant connection between servers.

At this point I find some difficulties...

I've read on MSDN that 'active FOR begin_dialog = ON' option must be specified; look at the code below, when I execute I get following error:

Msg 156, Level 15, State 1, Line 8

Incorrect syntax near the keyword 'FOR'.


CREATE CERTIFICATE Polx

WITH SUBJECT = 'Mirror certificate',

START_DATE = '10/31/2001',

EXPIRY_DATE = '10/31/2009',

active FOR begin_dialog = ON;

GO

CREATE SYMMETRIC KEY Key1

WITH ALGORITHM = RC4

ENCRYPTION BY CERTIFICATE Polx

GO

Any suggestion will be really appreciated!!!

By the way, do I have to create same certificate on the mirror server after creating it on the master?

Thanks, Carlo

You should try removing the comma before the ACTIVE keyword. From my experience with database mirroring, however, I don't remember this clause being required. The certificate used for mirroring needs to exist on both the principal and the mirror.

Thanks
Laurentiu|||

Here's some additional information about setting up database mirroring. I hope this will help:

http://blogs.msdn.com/lcris/archive/2005/09/14/466268.aspx

Thanks
Laurentiu

Posted by Wallace at 9:59 PM 0 comments
Labels: , , , , , , , , , , , ,
Subscribe to: Posts (Atom)