If I create Always Encrypted columns in Microsoft SQL Server from the SSMS gui, it makes a self signed certificate. Is there any value in making a CSR and paying a certificate authority (or using letsencrypt.org) to make a certificate? Does that chain of trust add and value in this case?
Asked
Active
Viewed 491 times
1 Answers
3
Certs from trusted CAs (like VeriSign) are used when you need a certificate that must be able to prove its issuer, purpose, validity, etc... Certs for data encryption like Always Encrypted typically do not require such proof since your certs typically don't float beyond your org. I don't know of any use case where you would benefit from using a 3rd party CA cert in an AE deployment. Even when you have strict management/rotation policies, I can't think of any common policy that you can't implement using a corporate issued cert or even a self-signed cert (though the latter will have a bit more manual work).
SQLmojoe
- 1,435
- 6
- 7
-
Ok, so beyond value, can I made SQL Server care? Assuming I had a business requirement for chain of trust, could I make SQL Server, or the ODBC driver check for chain of trust and emit a warning? Could I configure SQL Server to not let me install a self signed certificate, or would I need to audit for that externally? – Justin Dearing Jan 24 '18 at 16:46