Error message when you use SSL for connections to SQL Server: "The certificate received from the remote server was issued by an untrusted certificate authority"

Article translations Article translations
Article ID: 2007728 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Consider the following scenario:

  • You configure the Secure Sockets layer (SSL) protocol to encrypt connections to a Microsoft SQL Server which version are listed in "APPLIED TO" section.
  • A trusted certificate is not installed on the computer on where SQL Server is installed.

 In this scenario, you may find the following error message in the Windows System Event Log: 

Log Name:      System

Source:        Schannel

Date:          DATE

Event ID:      36882

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      COMPUTERNAME

Description:

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

If you click on the Details of the event, you may find a fall back to a self-signed certificate (SSL_Self_Signed_Fallback) as shown in the following example: 

0038: 03 1E 30 00 53 00 53 00 ..0.S.S.

0040: 4C 00 5F 00 53 00 65 00 L._.S.e.

0048: 6C 00 66 00 5F 00 53 00 l.f._.S.

0050: 69 00 67 00 6E 00 65 00 i.g.n.e.

0058: 64 00 5F 00 46 00 61 00 d._.F.a.

0060: 6C 00 6C 00 62 00 61 00 l.l.b.a.

0068: 63 00 6B 30 1E 17 0D 30 c.k0...0

Cause

If you configure SQL Server for SSL connections, but you do not install a trusted certificate on the server, SQL Server generates a self-signed certificate when the instance is started. This certificate is used to encrypt the credentials for client connections.

Secure Channel (Schannel) creates the list of trusted certificate authorities by searching the Trusted Root Certification Authorities store on the local computer. When Schannel detects a certificate that was issued by an untrusted certification authority, the error that is mentioned in the “Symptoms” section is logged. In the example, this SQL Server is considered an untrusted certification authority.

Resolution

You can safely ignore this problem if you intentionally use a self-signed certificate to encrypt connections to SQL Server. Please make sure that you read the following note in the Microsoft TechNet Books Online topic about SSL connections to SQL server.

Caution: SSL connections that are encrypted by using a self-signed certificate do not provide strong security. They are susceptible to man-in-the-middle attacks. You should not rely on SSL using self-signed certificates in a production environment or on servers that are connected to the Internet.

To prevent receiving this error message in Windows System Event Log, you can use one of the following methods.

Method 1

Configure the Database Engine to use SSL by using the procedure that is documented in the following topic in Books Online.

Method 2

Use SQL Server Configuration Manager to disable the ForceEncryption setting for the instance of SQL Server. For more information about how to do this, see the Configuring SSL for SQL Server section in the Books Online topic that is mentioned in Method 1.

More Information

Properties

Article ID: 2007728 - Last Review: March 12, 2011 - Revision: 12.0
APPLIES TO
  • Microsoft SQL Server 2005 Developer Edition
  • Microsoft SQL Server 2005 Enterprise Edition
  • Microsoft SQL Server 2005 Enterprise Edition for Itanium-based Systems
  • Microsoft SQL Server 2005 Enterprise X64 Edition
  • Microsoft SQL Server 2005 Evaluation Edition
  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2005 Express Edition with Advanced Services
  • Microsoft SQL Server 2005 Service Pack 2
  • Microsoft SQL Server 2005 Service Pack 3
  • Microsoft SQL Server 2005 Service Pack 4
  • Microsoft SQL Server 2005 Standard Edition
  • Microsoft SQL Server 2005 Standard Edition for Itanium-based Systems
  • Microsoft SQL Server 2005 Standard X64 Edition
  • Microsoft SQL Server 2005 Workgroup Edition
  • Microsoft SQL Server 2008 Community Technology Preview
  • Microsoft SQL Server 2008 Developer
  • Microsoft SQL Server 2008 Enterprise
  • Microsoft SQL Server 2008 Enterprise Evaluation
  • Microsoft SQL Server 2008 Express
  • Microsoft SQL Server 2008 Express with Advanced Services
  • Microsoft SQL Server 2008 R2 Datacenter
  • Microsoft SQL Server 2008 R2 Developer
  • Microsoft SQL Server 2008 R2 Enterprise
Keywords: 
kbrapidpub kbnomt KB2007728

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com