{"id":6589,"date":"2024-11-25T19:26:19","date_gmt":"2024-11-25T18:26:19","guid":{"rendered":"https:\/\/andreas-wolter.com\/?p=6589"},"modified":"2024-11-25T22:14:39","modified_gmt":"2024-11-25T21:14:39","slug":"tls-trusted-certificates-encrypt-data-transit-sqlservers","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/tls-trusted-certificates-encrypt-data-transit-sqlservers\/","title":{"rendered":"Use TLS 1.2 and trusted certificates to encrypt data in transit for all SQL Servers, including development environments"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-m0cxh8ps-579814bc5b690eda116cf7c2006b4ba5\">\n#top .av-special-heading.av-m0cxh8ps-579814bc5b690eda116cf7c2006b4ba5{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-m0cxh8ps-579814bc5b690eda116cf7c2006b4ba5 .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-m0cxh8ps-579814bc5b690eda116cf7c2006b4ba5 .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-m0cxh8ps-579814bc5b690eda116cf7c2006b4ba5 av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Use TLS 1.2 and trusted certificates to encrypt data in transit for all SQL Servers, including development environments<\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-m0cxgkjy-c935304b4106b45214698f40e83a9894 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p style=\"text-align: center;\"><strong><em>\u00a0<\/em><\/strong><strong><em>Handshake protocol: Server Hello<br \/>\nContent type: blog article<br \/>\nVersion: TLS 1.2 (0x0303)<br \/>\nCipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<\/em><\/strong><\/p>\n<p style=\"text-align: center;\"><strong>*1 <\/strong>you find the explanation at the bottom of this post <br class=\"avia-permanent-lb\" \/><br class=\"avia-permanent-lb\" \/><\/p>\n<p>If you are responsible for a SQL Server environment, you may have noticed the following options in the service\u2019s network configuration:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-6577\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_NetworkEncryption_Settings-300x173.jpg\" alt=\"SQLServer NetworkEncryption Settings\" width=\"300\" height=\"173\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_NetworkEncryption_Settings-300x173.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_NetworkEncryption_Settings.jpg 498w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>And if you work with SQL Server regularly, use SQL Server Management Studio, Azure Data Studio, or are writing applications that connect to a SQL database, you have probably seen a dialog such as this one:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-6579\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServerClient_NetworkEncryption_Settings-300x71.jpg\" alt=\"SQLServer Client NetworkEncryption Settings\" width=\"300\" height=\"71\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServerClient_NetworkEncryption_Settings-300x71.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServerClient_NetworkEncryption_Settings.jpg 471w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Or you might have seen connection strings in your application code that look like this:<\/p>\n<p><em>Encrypt=Yes;TrustServerCertificate=<strong>No<\/strong>;<\/em>\u201d<\/p>\n<p>\u2013 or well, at least I hope it is set to \u201cNo\u201d \ud83d\ude09<\/p>\n<p>This leads to the topic of this article: We need to make the use of proper channel encryption a standard for every environment. And simply \u201ctrusting\u201d any certificate without proper validation is not the way.<\/p>\n<p>These options determine the security of your connection between the client and SQL Server and which version of <strong>TLS<\/strong> (Transport Layer Security) will be used for encryption.<\/p>\n<p>All big cloud vendors have been pushing the use of <strong>TLS 1.2<\/strong> in the last two years.<br \/>\nThe reason is the government standard FedRAMP, which demands that TLS be configured with a FIPS-2-compliant cipher suite containing encryption algorithms like AES for both data at rest and data in transit.<\/p>\n<p>This recent reminder by Michael Howard, a well-known software security expert at Microsoft with whom I had the honor to work on the SQL Security team actually inspired me to elaborate on this in a blog post (<strong>Thanks Michael<\/strong>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-6581\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_LinkedInPost_MichaelHoward_TLS-300x297.jpg\" alt=\"LinkedIn post by Michael Howard on TLS 1.2\" width=\"300\" height=\"297\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_LinkedInPost_MichaelHoward_TLS-300x297.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_LinkedInPost_MichaelHoward_TLS-80x80.jpg 80w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_LinkedInPost_MichaelHoward_TLS-36x36.jpg 36w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_LinkedInPost_MichaelHoward_TLS.jpg 576w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>(<a href=\"https:\/\/www.linkedin.com\/posts\/mikehow_this-should-be-a-no-brainer-however-it-activity-7249077916662177792-H9Sx\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.linkedin.com\/posts\/mikehow_this-should-be-a-no-brainer-however-it-activity-7249077916662177792-H9Sx\/<\/a> )<\/p>\n<h1>Background<\/h1>\n<p><em>\u2013 skip if you know about FedRAMP already or don\u2019t care about US government regulations<\/em><\/p>\n<p><strong>FedRAMP<\/strong> (Federal Risk and Authorization Management Program) is a US government program that provides \u201ca standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.\u201d \u201cFedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High-risk impact levels.\u201d (source: <a href=\"https:\/\/www.fedramp.gov\/faqs\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.fedramp.gov\/faqs\/<\/a>)<\/p>\n<p>This push goes back to an update to the NIST Special Publication <strong>NIST SP 800-52 Rev. 2<\/strong> (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/52\/r2\/final\" target=\"_blank\" rel=\"noopener\">Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations<\/a> ) which specifies the minimum TLS versions that should be configured, specifically for government agencies. And as of August 2019, that is <strong>TLS 1.2<\/strong>. At the same time, <strong>TLS 1.3 shall be supported<\/strong> at least (not configured yet, if you read the fine print)<\/p>\n<p><strong>FIPS 140<\/strong>: The \u201cFederal Information Processing Standard\u201d 140 is a U.S. government standard that sets security requirements for cryptographic modules.<br \/>\nYou can read a bit more about how FedRAMP and FIPS relate in this (slightly critical \ud83d\ude42 article: <a href=\"https:\/\/alsmola.medium.com\/meeting-the-fedramp-fips-140-2-requirement-on-aws-e9886ba3f66b\" target=\"_blank\" rel=\"noopener\">Meeting the FedRAMP FIPS 140\u20132 requirement on AWS<\/a><\/p>\n<h1>TLS in SQL Server<\/h1>\n<p>While at this point <u>TLS 1.3 is not fully supported by SQL Server<\/u>, <strong>TLS 1.2 should absolutely be used<\/strong> because of multiple vulnerabilities that exist in TLS 1.1 and TLS 1.0.<\/p>\n<p>There is a lot of information on the internet explaining the protocol details, security, and performance advantages, so I will not go into that. Here is a short article for starters: <a href=\"https:\/\/www.linkedin.com\/pulse\/tls-12-vs-11-digialert\/\" target=\"_blank\" rel=\"noopener\">\u00a0TLS 1.2 vs TLS 1.1 <\/a><\/p>\n<p>To use TLS 1.2, you need to use Certificates to \u201ccertify\u201d the authenticity of the SQL Server Instance you are connecting to. When done successfully, your client and the database engine can set up an encrypted channel for communication.<\/p>\n<blockquote><p><em>Note on support for TLS 1.2 for older versions of SQL Server<\/em>:<br \/>\nTLS 1.2 is supported back to SQL Server 2008, which was made possible by special security patches that Microsoft provides. You can find the list of patches for each version here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/sql\/database-engine\/connect\/tls-1-2-support-microsoft-sql-server\" target=\"_blank\" rel=\"noopener\">TLS 1.2 support for Microsoft SQL Server<\/a><\/p><\/blockquote>\n<h1><\/h1>\n<h1><br class=\"avia-permanent-lb\" \/>About self-generated and self-signed certificates<\/h1>\n<p>SQL Server <strong>self-generates <\/strong>a self-signed certificate at startup if no proper certificate is installed. However, that certificate is equivalent to a <strong>self-signed certificate<\/strong> that any user can create. Self-generated and self-signed certificates both fail validation of the chain of trust to the root certificate.<\/p>\n<p>In brief terms, this means that the certificate should be signed by an authority (the certificate issuer) that itself is signed by a root CA which must be known as trusted to the client. And that is implemented through the Trusted Root Certification Authorities Certificate Store in every windows system. &#8211; For security and scalability reasons you will usually not have a certificate signed by a root CA directly.<\/p>\n<blockquote><p><em>Security advice:<\/em><br \/>\nNever use your root CA directly but rather use sub-CA\u2019s (subordinate Certificate Authority) to distribute certificates.<\/p><\/blockquote>\n<p>In versions prior to Windows Server 2022, one could place the self-signed certificate in the local &#8220;Trusted Root Certification Authorities&#8221; store to sort of emulate trust, but with Windows 2022 this hack does not work anymore.<br \/>\nUnder Windows 2022, both types of self-signed certificates are equally un-trusted.<\/p>\n<p>This means your environment needs to have either its own Certificate Authority set up, or you can use external commercial CA\u2019s to receive the certificates you need.<\/p>\n<h1>Why not use TrustServerCertificate=<strong>Yes<\/strong>?<\/h1>\n<p>The answer is that this simply skips the validation phase for the connection establishment and as a result, your connection can&#8217;t be trusted.<br \/>\nIt\u2019s ironic, isn\u2019t it?: <strong>Trusting the server without validation leads to non-trustworthy network encryption.<\/strong><\/p>\n<p>It is the equivalent of saying \u201ccontinue\u201d on a website with this certificate error.<\/p>\n<p>Not only are these self-signed certificates causing a<strong> lower strength of encryption<\/strong>, but they are also <strong>susceptible to<\/strong> <strong>man-in-the-middle attacks<\/strong>. \u2013 You could say: by design. Because this setting literally means \u201cjust accept whatever cert the server presents\u201d. Naturally, an attacker can present a self-signed certificate just as easily.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-6583 alignnone\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2011_CertificateProblem_WebBrowser-300x119.jpg\" alt=\"Web browser warning of Certificate\" width=\"300\" height=\"119\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2011_CertificateProblem_WebBrowser-300x119.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2011_CertificateProblem_WebBrowser-1030x409.jpg 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2011_CertificateProblem_WebBrowser-768x305.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2011_CertificateProblem_WebBrowser-705x280.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2011_CertificateProblem_WebBrowser.jpg 1062w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1>About development environments<\/h1>\n<p>Assuming that rolling out proper certificates is a no-brainer for production and test environments, what about development? Is that really necessary?<\/p>\n<p>I argue: <strong>Yes<\/strong>. And here is why:<\/p>\n<ol>\n<li><strong>Secure development starts with a secure development environment<\/strong>:<br \/>\nIn the same way that developing secure code is prone to fail if the development environment works constantly with elevated permissions, this applies to working with encryption for data in transit: if the development environment uses different settings for connection security, it will have to be caught in Test. And then what is next? Fix it in test and move to prod. And with new functionalities introduced, keep doing the same over and over again? This is just pushing the problem to a different environment, increasing technical debt, variance, and in the end the chances that some unsecured client- or even server-settings make it to production are high.<\/li>\n<li><strong>Preventing lateral movement through session hijacking<\/strong>:<br \/>\nCan you guarantee that no account that logs on to your dev-environment has permissions to log on to production or test?<br \/>\nYou will find that even domain admins will sometimes be connected to a dev environment. And if an attacker is waiting to jump from dev to prod, this is all that\u2019s needed: a session that can be intercepted. There are multiple options for that. Using attacks on SQL via TDS injection, the attacker could for example inject his session to create a linked server on dev that points to a production server and use its current identity to then hijack the production server.<\/li>\n<li><strong>Intellectual property and configuration information are valuable targets alone<\/strong>:<br \/>\nWhile production data on development machines is becoming less common thanks to higher awareness nowadays (hefty GDPR fines are part of the reason), there is still a lot of interesting IP in the code. Also, process-related configuration data from development environments can help an attacker plan the lateral movement to production.<\/li>\n<\/ol>\n<h1><\/h1>\n<h1><br class=\"avia-permanent-lb\" \/>How to roll out certificates to all SQL Servers at scale<\/h1>\n<p>Now that we have established that really <strong>all SQL Servers should be using TLS 1.2 and certificates signed by a trusted certificate authority<\/strong> (CA), how can you go about that?<\/p>\n<p>First of all, you will need a Certificate Authority (CA). Larger enterprises will have their own. I won\u2019t go into detail on how to set up here as that is a whole other topic, but a few pointers I will give:<\/p>\n<ul>\n<li>If you have a Windows Enterprise CA, <strong>Certificate Autoenrollment<\/strong> will automatically deploy certificates to newly installed machines. Super helpful! &#8211; But in case you are using SQL Server Availability Groups you will still need to create your own certificates since you will probably require multiple Subject Alternate Names (SAN) for the Virtual Network Names\/Listeners.<\/li>\n<li>In general, you will want to integrate the certificate handling in your deployment or post-deployment processes, so it becomes just another piece in \u201cinfrastructure as code\u201d.<\/li>\n<li>As I mentioned above: Never use your root CA directly but rather use sub-CA\u2019s to distribute certificates.<\/li>\n<li>For security reasons, make sure to use a different sub-CA for your development environment from your production environment.<\/li>\n<\/ul>\n<h1><\/h1>\n<h1><br class=\"avia-permanent-lb\" \/>Real-world challenge: Old clients and drivers<\/h1>\n<p>Now that we have hopefully realized that using TLS 1.2 and proper certificates is where we want to be, I need to also include the challenge of older applications which often use client drivers. And old always means higher security risks in software. Specifically, when it comes to encryption and network.<\/p>\n<p>So, unfortunately, you may not be able to force all clients or servers to use TLS 1.2. This technical debt is just another reason, similar to clients that use hardcoded passwords, and elevated accounts like sysadmin that nobody dares to touch, to move the databases that these clients require to different servers instead of hosting them together with others who can use better security. &#8211; Because <strong>if you mix good and bad security you will end up with bad security<\/strong>.<br \/>\nSegregating by security level may be required if all else fails.<\/p>\n<p>Trust me: Having worked with hundreds of clients of all sizes, I know the pain of dealing with applications that just can\u2019t be touched, be it version-wise or security-wise. All I can do here is point out the importance of leveling up your security.<\/p>\n<blockquote><p><strong><em>The sooner you start enforcing better security, the more debt you will prevent.<\/em><\/strong><\/p><\/blockquote>\n<p>Do not wait for vendors. Instead, you need to take them with you in your undertaking of rolling out TLS 1.2 across your environment. Push or pull, however, you like to call it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-6585 size-large\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_XEventTraceResult_TLS1.2-1030x76.jpg\" alt=\"XEvent trace showing TLS Handshake with TLS 1.2\" width=\"1030\" height=\"76\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_XEventTraceResult_TLS1.2-1030x76.jpg 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_XEventTraceResult_TLS1.2-300x22.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_XEventTraceResult_TLS1.2-768x56.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_XEventTraceResult_TLS1.2-1500x110.jpg 1500w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_XEventTraceResult_TLS1.2-705x52.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2024\/11\/2411_SQLServer_XEventTraceResult_TLS1.2.jpg 1525w\" sizes=\"auto, (max-width: 1030px) 100vw, 1030px\" \/><\/p>\n<p>XEvent trace showing TLS Handshake with TLS 1.2 <br class=\"avia-permanent-lb\" \/><br class=\"avia-permanent-lb\" \/><br class=\"avia-permanent-lb\" \/><\/p>\n<p>in that sense<\/p>\n<p>happy securing<\/p>\n<p>Andreas <br class=\"avia-permanent-lb\" \/><br class=\"avia-permanent-lb\" \/><br class=\"avia-permanent-lb\" \/><\/p>\n<p style=\"text-align: center;\"><strong>*1 <\/strong>insider for network package analysts: this is roughly how the server responds to a session handshake request with TLS 1.2 \ud83d\ude09<\/p>\n<p style=\"text-align: center;\"><strong><em>Handshake protocol: Server Hello done<\/em><\/strong><\/p>\n<p style=\"text-align: center;\">TLS handshake message indicating the server is done and is awaiting the client\u2019s response <br class=\"avia-permanent-lb\" \/><br class=\"avia-permanent-lb\" \/><\/p>\n<p>Big thanks to:<br \/>\n<strong>Rohit Nayak<\/strong>, Principal Program Manager at <strong>Microsoft<\/strong>, working on network security<br \/>\n<strong>Ralf Dietrich<\/strong>, CEO and expert in computer forensics at <strong>Sarpedon Quality Lab Germany<br \/>\nLars Lawrenz<\/strong>, CEO and head of Software development at <strong>Sarpedon Quality Lab Germany<br \/>\n<\/strong>for reviewing and helping with technical details<br \/>\nand <strong>Michael Howard<\/strong>, Senior Director at <strong>Microsoft<\/strong> for inspiring me to this article<\/p>\n<h1>Resources \u2013 further readings<\/h1>\n<p>This is a huge topic, as it involves different services such as the Certificate Authority, SQL Server itself, client drivers, and the multiple versions of TLS, which in turn also affect TDS.<\/p>\n<ul>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/azuresqlblog\/the-importance-of-tls-with-sql-server\/3801220\" target=\"_blank\" rel=\"noopener\">The Importance of TLS with SQL Server<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/database-engine\/configure-windows\/certificate-requirements?view=sql-server-ver16\" target=\"_blank\" rel=\"noopener\">Certificate requirements for SQL Server<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/networking\/connect-with-strict-encryption?view=sql-server-ver16\" target=\"_blank\" rel=\"noopener\">Connect to SQL Server with strict encryption<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/sql\/database-engine\/connect\/tls-1-2-support-microsoft-sql-server\" target=\"_blank\" rel=\"noopener\">TLS 1.2 support for Microsoft SQL Server<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/sql\/database-engine\/connect\/tls-upgrade-wkflow-1-2\" target=\"_blank\" rel=\"noopener\">Basic guide to upgrading SQL Server and clients to TLS 1.2<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/sql\/database-engine\/connect\/ssl-errors-after-tls-1-2\" target=\"_blank\" rel=\"noopener\">SSL errors are reported after upgrading to TLS 1.2<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/database-engine\/configure-windows\/configure-sql-server-encryption?view=sql-server-ver16\" target=\"_blank\" rel=\"noopener\">Configure SQL Server Database Engine for encrypting connections<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/networking\/connect-with-tls-1-3?view=sql-server-ver16\" target=\"_blank\" rel=\"noopener\">Configure TLS 1.3 (SQL Server)<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/database-engine\/configure-windows\/certificate-overview?view=sql-server-ver16\" target=\"_blank\" rel=\"noopener\">Transport Layer Security and digital certificates<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/networking\/tds-8\" target=\"_blank\" rel=\"noopener\">TDS 8.0 (SQL Server)<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/connect\/driver-feature-matrix?view=sql-server-ver16\" target=\"_blank\" rel=\"noopener\">Driver feature support matrix for Microsoft SQL Server<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/connect\/ado-net\/encryption-and-certificate-validation?view=sql-server-ver16\" target=\"_blank\" rel=\"noopener\">Encryption and certificate validation in Microsoft.Data.SqlClient<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/networking\/core-network-guide\/cncg\/server-certs\/configure-server-certificate-autoenrollment\" target=\"_blank\" rel=\"noopener\">Configure certificate auto-enrollment (Windows Server)<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/pki\/new-selfsignedcertificate?view=windowsserver2022-ps\" target=\"_blank\" rel=\"noopener\">PowerShell module: New-SelfSignedCertificate<\/a><\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/azuredbsupport\/root-certificates-of-azure-sql-db-and-sql-managed-instance\/3668434\" target=\"_blank\" rel=\"noopener\">Root certificates of Azure SQL DB and SQL Managed Instance<\/a><\/li>\n<\/ul>\n<\/div><\/section>\r\n\r\n<div  class='hr av-baku8u-c77559299fb7cb036a9bcb2d27e7c839 hr-default  avia-builder-el-2  el_after_av_textblock  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-5n5vpa-78ffdd9d224b4a246af65bdc00dce900 av-social-sharing-box-default  avia-builder-el-3  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share article<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/tls-trusted-certificates-encrypt-data-transit-sqlservers\/&#038;t=Use%20TLS%201.2%20and%20trusted%20certificates%20to%20encrypt%20data%20in%20transit%20for%20all%20SQL%20Servers%2C%20including%20development%20environments\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Use%20TLS%201.2%20and%20trusted%20certificates%20to%20encrypt%20data%20in%20transit%20for%20all%20SQL%20Servers%2C%20including%20development%20environments&#038;url=https:\/\/andreas-wolter.com\/en\/?p=6589\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Use%20TLS%201.2%20and%20trusted%20certificates%20to%20encrypt%20data%20in%20transit%20for%20all%20SQL%20Servers%2C%20including%20development%20environments&#038;url=https:\/\/andreas-wolter.com\/en\/tls-trusted-certificates-encrypt-data-transit-sqlservers\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-4ofg9q-c2108540b480aba02923089240a3a176\">\n#top .hr.hr-invisible.av-4ofg9q-c2108540b480aba02923089240a3a176{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-4ofg9q-c2108540b480aba02923089240a3a176 hr-invisible  avia-builder-el-4  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-284ftq-f5a1564cd6b8ffad6ce835e2d40de4b7  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":6581,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[364,366,365,27],"class_list":["post-6589","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","tag-certificates","tag-encryption-en","tag-network","tag-security-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=6589"}],"version-history":[{"count":10,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6589\/revisions"}],"predecessor-version":[{"id":6600,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6589\/revisions\/6600"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/6581"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=6589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=6589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=6589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}