How to use PFX-formatted certificates in SQL Server

Extended support for SQL Server 2005 ended on April 12, 2016

If you are still running SQL Server 2005, you will no longer receive security updates and technical support. We recommend upgrading to SQL Server 2014 and Azure SQL Database to achieve breakthrough performance, maintain security and compliance, and optimize your data platform infrastructure. Learn more about the options for upgrading from SQL Server 2005 to a supported version here.

To use certificates that are in the PFX format in Microsoft SQL Server, use Microsoft PVKConverter for SQL Server to convert the PFX certificate files into PVK/DER format. To do this, follow these steps:

  1. Download and install the following tool:

    DownloadMicrosoft PVKConverter for SQL Server
  2. Run the following command at a command prompt:

    PVKConverter.exe -i <PFX format file> -o <PVK/DER format file> -d <Decryption password> -e <Encryption password>
    This step processes a PFX certificate file in order to generate the following PVK/DER certificate pairs:

    • <PVK/DER format file>_1.cer
    • <PVK/DER format file>_2.cer and <PVK/DER format file>_2.pvk
    Note The number of PVK/DER files that are generated depends on the number of public/private key pairs that are contained in the PFX file. One PVK/DER file pair is generated for each public/private key pair.

  3. Use SQL Query Analyzer to run the following Transact-SQL script:
    CREATE CERTIFICATE >Certificate name>   FROM FILE = '<PVK/DER format file>.cer'   WITH PRIVATE KEY (FILE = '<PVK/DER format file>.pvk',   DECRYPTION BY PASSWORD = '<Encryption password>');
    Note The "Encryption password" placeholder represents the password that is provided through the -e option of PVKConverter.exe.
More information
SQL Server supports the importing of existing security certificates that are specified as a pair of files that are encoded in PVK/DER format. The PVK file contains information about the certificate’s private key, and the DER file contains the remaining information.

Windows Certificate Manager supports the export to PFX format only of existing certificates that contain private key information in Windows 2008. Windows 2008 has discontinued support for exporting to PVK/DER format. On the other hand, SQL Server does not support the importing of PFX encoded certificates. Therefore, there is currently an interoperability issue between Windows Certificate Manager and SQL Server.

Note If the serial number of your certificate is greater than 16 bytes, see the following article for your version of SQL Server.


Article ID: 2914662 - Last Review: 08/31/2015 17:14:00 - Revision: 6.0

Microsoft SQL Server 2014 Service Pack 1, Microsoft SQL Server 2014 Developer, Microsoft SQL Server 2014 Enterprise, Microsoft SQL Server 2014 Web, Microsoft SQL Server 2014 Standard, Microsoft SQL Server 2014 Express, Microsoft SQL Server 2012 Developer, Microsoft SQL Server 2012 Enterprise, Microsoft SQL Server 2012 Web, Microsoft SQL Server 2012 Standard, Microsoft SQL Server 2012 Express, Microsoft SQL Server 2008 R2 Datacenter, Microsoft SQL Server 2008 R2 Developer, Microsoft SQL Server 2008 R2 Enterprise, Microsoft SQL Server 2008 R2 Web, Microsoft SQL Server 2008 R2 Standard, Microsoft SQL Server 2008 R2 Express, Microsoft SQL Server 2008 Developer, Microsoft SQL Server 2008 Enterprise, Microsoft SQL Server 2008 Workgroup, Microsoft SQL Server 2008 Web, Microsoft SQL Server 2008 Express, Microsoft SQL Server 2005 Enterprise Edition, Microsoft SQL Server 2005 Workgroup Edition, Microsoft SQL Server 2005 Standard Edition, Microsoft SQL Server 2005 Express Edition

  • kbsurveynew kbinfo kbexpertisebeginner atdownload KB2914662