I am looking for the right place to modify the CSR used by Certify so that it will have KeySpec=1. This is a requirement to use the cert in SQL Server 2012.
The ACMESharp client seems to support this:
var kpi = new CryptKeyProviderInformation();
kpi.ContainerName = containerName;
kpi.ProviderType = 1; // PROV_RSA_FULL
kpi.KeySpec = 1; // AT_KEYEXCHANGE
The certificate generated by Certify is not selectable in the SQL Server Configuration Manager.
Cert requirements:
The certificate should be valid (Valid From and Valid To properties), the Common Name (CN) in the Subject property of the certificate must be the same as the fully qualified domain name (FQDN) of the server, the Enhanced Key Usage property should include ‘Server Authentication (1.3.6.1.5.5.7.3.1)’ and the certificate must be created by using the KeySpec option of ‘AT_KEYEXCHANGE’.
Hi, currently you can’t modify the CSR we build - however running certutil -dump -v ff26cb7d-44a7-4a4e-96ef-71543abcedb8.pfx on one of the certs shows that we get KeySpec = 1 -- AT_KEYEXCHANGE
According to this article it’s important to set a domain/hostname setting in the registry for it to recognise the correct certs, it also mentions you can set the certificatehash in the registry:
So if you try setting that manually to see if you can get it working then you could probably use powershell scripting to update the certifcatehash on renewal:
As mentioned in my limited testing (windows server 2016, CTW 4.1.6) the pfx generated had keyspec=1 so if you can provide information about the OS version you are running etc that might help.