Cert for SQL Server 2012


I am looking for the right place to modify the CSR used by Certify so that it will have KeySpec=1. This is a requirement to use the cert in SQL Server 2012.

The ACMESharp client seems to support this:

var kpi = new CryptKeyProviderInformation();
                kpi.ContainerName = containerName;
                kpi.ProviderType = 1; // PROV_RSA_FULL
                kpi.KeySpec = 1; // AT_KEYEXCHANGE

The certificate generated by Certify is not selectable in the SQL Server Configuration Manager.

Cert requirements:

The certificate should be valid (Valid From and Valid To properties), the Common Name (CN) in the Subject property of the certificate must be the same as the fully qualified domain name (FQDN) of the server, the Enhanced Key Usage property should include ‘Server Authentication (’ and the certificate must be created by using the KeySpec option of ‘AT_KEYEXCHANGE’.

Thanks for any insight.


This text will be hidden

Hi, currently you can’t modify the CSR we build - however running certutil -dump -v ff26cb7d-44a7-4a4e-96ef-71543abcedb8.pfx on one of the certs shows that we get KeySpec = 1 -- AT_KEYEXCHANGE

According to this article it’s important to set a domain/hostname setting in the registry for it to recognise the correct certs, it also mentions you can set the certificatehash in the registry:

So if you try setting that manually to see if you can get it working then you could probably use powershell scripting to update the certifcatehash on renewal:

Thanks for the reply. The cert I have shows KeySpec = 0.

Provider = Microsoft Software Key Storage Provider
ProviderType = 0
Flags = 0
KeySpec = 0

Everything is matching in the host names, etc.

Ah, are you on the latest version of the app (currently 4.1.6)? We don’t use the ACMESharp client currently, we use certes.

Yes, I am. Where would an appropriate place be to request this enhancement? Thanks for the dialog.

Hi, you can create a new feature request here: https://github.com/webprofusion/certify/issues

As mentioned in my limited testing (windows server 2016, CTW 4.1.6) the pfx generated had keyspec=1 so if you can provide information about the OS version you are running etc that might help.