The SQL Server service cannot start after you configure an instance of SQL Server 2005 to use a Secure Sockets Layer (SSL) certificate using the Microsoft Enhanced Cryptographic Provider 1.0


Bug #: 486526 (SQLBUDT)

Symptoms


Consider the following scenario. You configure an instance of Microsoft SQL Server 2005 to use a Secure Sockets Layer (SSL) certificate. The SSL certificate uses the Microsoft Enhanced Cryptographic Provider 1.0. In this scenario, the SQL Server service cannot start. Additionally, when you try to start the SQL Server service, the following error messages are written to the SQL Server Errorlog file:
Error message 1
DateTime Server Unable to load user-specified certificate. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.
Error message 2
DateTime Server Error: 17182, Severity: 16, State: 1.
Error message 3
DateTime Server TDSSNIClient initialization failed with error 0x80092004, status code 0x80.
Error message 4
DateTime Server Error: 17182, Severity: 16, State: 1.
Error message 5
DateTime Server TDSSNIClient initialization failed with error 0x80092004, status code 0x1.
Error message 6
DateTime Server Error: 17826, Severity: 18, State: 3.

Cause


This problem occurs because you cannot use a certificate that has the cryptographic service provider "Microsoft Enhanced Cryptographic Provider version 1.0" as a server certificate.

Resolution


To work around this problem, use any of the following methods:
  • Do not specify any certificate. Therefore, SQL Server generates a self-signed certificate. To do this, leave the Certificate box blank in SQL Server Configuration Manager.

    For more information, visit the following Microsoft Developer Network (MSDN) Web sites:
    Configuring server network protocols and net-libraries
    http://msdn2.microsoft.com/en-us/library/ms177485.aspx

    Encrypting connections to SQL Server
    http://msdn2.microsoft.com/en-us/library/ms189067.aspx
  • Use a certificate that uses the "Microsoft RSA Channel Cryptographic Provider" cryptographic service provider for the SQL Server certificate.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


SSL certificates that use the Microsoft Enhanced Cryptographic Provider 1.0 can be used for client certificates. However, the certificates are unsuitable as server certificates. To determine the provider of a certificate, run the following command at a command prompt:
certutil -v -store my
The following error message is mentioned in the "Symptoms" section:
DateTime Server TDSSNIClient initialization failed with error 0x80092004, status code 0x80.
In this error message, "error state 0x80" indicates that a problem is in the SSL certificate. Additionally, "0x80092004" is a Security Support Provider Interface (SSPI) error code that translates to "CRYPT_E_NOT_FOUND".