Error message when you use SSL for connections to SQL Server: "The certificate received from the remote server was issued by an untrusted certificate authority"


Symptoms


Consider the following scenario:

  • You configure the Secure Sockets layer (SSL) protocol to encrypt connections to a Microsoft SQL Server which version are listed in "APPLIED TO" section.
  • A trusted certificate is not installed on the computer on where SQL Server is installed.

 In this scenario, you may find the following error message in the Windows System Event Log: 

Log Name:      System

Source:        Schannel

Date:          DATE

Event ID:      36882

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      COMPUTERNAME

Description:

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

If you click on the Details of the event, you may find a fall back to a self-signed certificate (SSL_Self_Signed_Fallback) as shown in the following example: 

0038: 03 1E 30 00 53 00 53 00 ..0.S.S.

0040: 4C 00 5F 00 53 00 65 00 L._.S.e.

0048: 6C 00 66 00 5F 00 53 00 l.f._.S.

0050: 69 00 67 00 6E 00 65 00 i.g.n.e.

0058: 64 00 5F 00 46 00 61 00 d._.F.a.

0060: 6C 00 6C 00 62 00 61 00 l.l.b.a.

0068: 63 00 6B 30 1E 17 0D 30 c.k0...0

Cause


If you configure SQL Server for SSL connections, but you do not install a trusted certificate on the server, SQL Server generates a self-signed certificate when the instance is started. This certificate is used to encrypt the credentials for client connections.

Secure Channel (Schannel) creates the list of trusted certificate authorities by searching the Trusted Root Certification Authorities store on the local computer. When Schannel detects a certificate that was issued by an untrusted certification authority, the error that is mentioned in the “Symptoms” section is logged. In the example, this SQL Server is considered an untrusted certification authority.

Resolution


You can safely ignore this problem if you intentionally use a self-signed certificate to encrypt connections to SQL Server. Please make sure that you read the following note in the Microsoft TechNet Books Online topic about SSL connections to SQL server.

Caution: SSL connections that are encrypted by using a self-signed certificate do not provide strong security. They are susceptible to man-in-the-middle attacks. You should not rely on SSL using self-signed certificates in a production environment or on servers that are connected to the Internet.

To prevent receiving this error message in Windows System Event Log, you can use one of the following methods.

Method 1

Configure the Database Engine to use SSL by using the procedure that is documented in the following topic in Books Online.

Method 2

Use SQL Server Configuration Manager to disable the ForceEncryption setting for the instance of SQL Server. For more information about how to do this, see the Configuring SSL for SQL Server section in the Books Online topic that is mentioned in Method 1.

More Information