How to use PFX-formatted certificates in SQL Server

Applies to: SQL Server 2014 DeveloperSQL Server 2014 DeveloperSQL Server 2014 Enterprise

To use certificates that are in the PFX format in Microsoft SQL Server, use Microsoft PVKConverter for SQL Server to convert the PFX certificate files into PVK/DER format. To do this, follow these steps:

  1. Download and install the following tool:

    Download Microsoft PVKConverter for SQL Server
  2. Run the following command at a command prompt:

    PVKConverter.exe -i <PFX format file> -o <PVK/DER format file> -d <Decryption password> -e <Encryption password> 
    This step processes a PFX certificate file in order to generate the following PVK/DER certificate pairs:

    • <PVK/DER format file>_1.cer
    • <PVK/DER format file>_2.cer and <PVK/DER format file>_2.pvk
    Note The number of PVK/DER files that are generated depends on the number of public/private key pairs that are contained in the PFX file. One PVK/DER file pair is generated for each public/private key pair.

  3. Use SQL Query Analyzer to run the following Transact-SQL script:
    CREATE CERTIFICATE >Certificate name>
    FROM FILE = '<PVK/DER format file>.cer'
    WITH PRIVATE KEY (FILE = '<PVK/DER format file>.pvk',
    DECRYPTION BY PASSWORD = '<Encryption password>');
    Note The "Encryption password" placeholder represents the password that is provided through the -e option of PVKConverter.exe.

More Information

SQL Server supports the importing of existing security certificates that are specified as a pair of files that are encoded in PVK/DER format. The PVK file contains information about the certificate’s private key, and the DER file contains the remaining information.

Windows Certificate Manager supports the export to PFX format only of existing certificates that contain private key information in Windows 2008. Windows 2008 has discontinued support for exporting to PVK/DER format. On the other hand, SQL Server does not support the importing of PFX encoded certificates. Therefore, there is currently an interoperability issue between Windows Certificate Manager and SQL Server.

Note If the serial number of your certificate is greater than 16 bytes, see the following article for your version of SQL Server.