none
SQL Server 2008 self-signed certificate is 1024bit or 2048bit? RRS feed

  • Question

  • When there is no user defined certificate available, SQL Server will generate a self-signed certificate when service starts, We have a tool scans and finds that in SQL 2005 the self-signed certificate is 1024bit,  does someone know the default self-signed certificate is still 1024bit or is it 2048bit in SQL 2008? Thanks a lot!!!
    Wednesday, February 4, 2015 2:08 PM

Answers

  • I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.

     Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.

     The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.

    After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed certificate created by SQL Server for data in transit transmission.

    BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.

    I hope this information helps,

    -Raul Garcia

     SQL Server Security


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Saturday, February 7, 2015 12:50 AM
    Moderator

All replies

  • hi,

    i think this is not absolute, both are possible. what tools are you using?


    • Edited by Malisaqin Friday, February 6, 2015 1:03 PM
    Friday, February 6, 2015 1:02 PM
  • I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.

     Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.

     The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.

    After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed certificate created by SQL Server for data in transit transmission.

    BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.

    I hope this information helps,

    -Raul Garcia

     SQL Server Security


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Saturday, February 7, 2015 12:50 AM
    Moderator
  • Do you have any links to a documentation that says this "self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted in cleartext, but nothing more. Think of it as a mitigation against a casual adversary."?
    Friday, June 21, 2019 1:32 AM