Configuring SSL on SQL Server 2012

This is more painful than it should be, but here’s how it’s done.

Step #1: Generate a CSR

In order to get an SSL certificate, you’ll need a CSR. SQL Server is picky about this — the process for creating one differs slightly than it does when creating one for a webserver. The following steps apply to certificates signed by a CA as well as self-signed certificates.

Open the Microsoft Management Console by typing mmc.exe into either the Run or Search boxes found on the Start Menu.

Microsoft Management Console

Microsoft Management Console

Once opened, click on “File” then “Add/Remove Snap-in…”

SQL_CSR_Step_1

Add the Certificates Snap-in

SQL_CSR_Step_2

Be sure to add it under the Computer account

SQL_CSR_Step_3

Local Computer

Then hit OK

SQL_CSR_Step_4

Expand Certificates, right-click on Personal, select All Tasks, Advanced Operations then click on Create Custom Request…

Custom Request

Click Next

Enrollment

Select Proceed without enrollment policy and click Next

Proceed without enrollment policy

Select the highlighted options and click Next

Certificate Enrollment (request options)

Open the Properties dialog

Properties

Give your request a Friendly Name and a Description

SSL for SQL

On the Subject tab, in the Subject name section, you need a Common Name — this should be the FQDN of the server; in the Alternative name section, you need to provide a Type: DNS value for the bare hostname and one for the FQDN of the server. It’s also a good idea to provide a Type: IP address(v4) for each IP that belongs to the server.

Subject tab

On the Extensions tab, click the arrow in the Extended Key Usage box and add the Server Authentication option.

Extensions tab

On the Private Key tab, select the options highlighted below, and click OK, and then click Next.

Private Key tab

Save your CSR somewhere and then either sign it yourself or submit it to a CA.

my_csr.txt

Step #2: Import Your Certificate

Open the Certificates Snap-in just like you did in Step #1, then expand Certificates, right-click on Personal, select All Tasks, and then select Import…

Import Certificate

Click Next, click Browse, locate your certificate file in the Open dialog, and then click Next again:

Certificate Import Wizard

Certificate Import Wizard 2

Browse for the certificate

Certificate import wizard 3

Place all certificates in the Personal store … click Next and then click Finish (and then OK).

Personal Certificate Store

Completing the wizard

Success

Step #3: Configure SQL Server To Use Your New Certificate

Open Sql Server Configuration Manager and restart the SQL Server service. Nothing crazy should happen… not yet.

SSCM_1

Navigate to Protocols for INSTANCENAME, right click on it, and select Properties

Protocols for instancename

Select your certificate and then hit OK

Protocols for instancename 2

Restart the SQL Server service one more time… if it starts up successfully, then you’re done. If it doesn’t (which is highly likely) then continue reading.

Step #4: SQL Server service does not restart successfully

Check the event viewer. If you see the following event IDs: 17120, 17826, 17182, 17663 then the user account the service is running as probably cannot read the server’s private key:

TDSSNIClient initialization failed 'n stuff

First, who is running the service? Open the Sql Server Configuration Manager, locate the SQL Server service, right-click on it, and select Properties. Find the Account Name input box on the Log On tab and make a note of the account name:

SQL Server Properties

Then, re-open the Certificates Snap-in just like you did in Step #1, locate your certificate (Certificates (Local Computer) -> Personal -> Certificates), right-click on it, select All Tasks, then select Manage Private Keys:

Manage Private Keys

A familiar Permissions dialog will appear. Click Add…:

Permissions for private keys

Click the Locations… button and select the location where the account resides… most of the time this will be the local computer:

locations2

locations

Add the account that the SQL Server service runs as. Sometimes for local accounts, it is necessary to type the entire account name into the box titled Enter the object names to select and then hit OK (i.e., do not use the Check Names button.)

Give this user Read access, and then hit OK.

Read access

The SQL Server service should restart successfully now.

Religion and the Army

When I look back at my time in the U.S. Army, there’s always one thing that comes to mind—the religiosity of the majority (in both the enlisted and commissioned ranks). It wasn’t diverse in the slightest; quite the contrary actually. In fact, you didn’t have to look far to see or hear someone making claims that the U.S. Army is a “Christian” army. And not just any breed of Christianity either, we’re talking about the Evangelical kind. The kind that makes a Chief Warrant Officer—supposedly the more intelligent of those serving; chastise and intimidate a junior enlisted soldier (in full view of about 20 other people) for refusing to believe that the Earth is 10,000 years old or less… the kind that keeps the onlookers in that scenario, silent.

I was that junior enlisted soldier, and if you’re reading this Chief D., fuck you. You see, you are what’s wrong with the Army (I can’t speak for the other branches because I didn’t serve in them… but I hear that they suffer from the same problems.) The entire time I was serving, I was constantly frustrated by the fact that proselytizing to other soldiers without their consent, and/or discriminating against them on the basis of religion, was technically illegal but nonetheless an accepted practice… after all, there are no atheists in foxholes.

In fact, I can’t count the number of soldiers and officers whom I overheard speculating on the “End Times” during the run-up to the invasion of Iraq; there were many who actually believed that we were going to be fighting in a “holy war”, and to state or argue otherwise could get you into trouble. Aside from becoming a social outcast, you could find yourself the subject of a complaint to your supervisor when one of the end-timers interprets your refusal to believe their bullshit as an open attack on their religion. This very thing happened to me shortly after 9/11. Nothing ever came out of it, but it did cause some minor stress in my life for a short moment.

There were rewards for being religious—or at least pretending to be so. When I was in BCT (Basic Combat Training), the weekends usually consisted of G.I. parties, trash pickup details, cutting grass, etc. Basically, any work that the Drill Instructors could find—except for those who went to church on Sunday. On Sunday morning right after formation, you’d be separated into two groups; those going to church, and those who weren’t. For those of us who weren’t going to church, we’d usually have some mops, brooms, lawnmowers, etc. waiting for us. If you went to church, you got out of about ~3-4 hours of ass-busting manual labor. It’s funny how the chain of command didn’t see anything unfair about this. They also didn’t see anything unfair when a request that few of us non-believers asked to have our own “church” session on Sunday mornings was denied. The official reason was that we needed a chaplain; since we didn’t have one, our only other option was to participate in what was available. They reinforced this position with the logic that; since they didn’t have Catholic, Episcopalian, Methodist, Buddhist, or Jewish chaplains available either, and none of the adherents of those faiths complained about having to attend a [supposedly] non-denominational church service, why should we get special treatment? The flaws in this logic with respect to us non-believers should be immediately obvious.

Rewards for being religious weren’t just limited to boot camp either. Every month or so, our unit (along with other units) would sponsor an event called “A Duty Day With God” where, all you had to do was attend a 1 hour “meeting” in the morning with the chaplain and you’d get the rest of the day off—most of the time, they’d plan a trip to a theme park or some other recreational activity; 100% free to the participants. And if you didn’t attend? Well, I long suspected that this was just a sneaky way of sorting out the “bad apples” but I digress. If you didn’t attend, you had to go to work just like any other day (…and pick up the slack left by the others who weren’t there).

And then there were the Chaplains with their camouflage bibles… the Brits and Aussies whom I served with in Iraq were relentless in their ridicule when it came to the habit that the U.S. Army had adopted, of opening and closing Battle Update Briefs (BUBs) with a [Christian] prayer. Oh sure, it was a non-denominational prayer… so long as your denomination recognizes Jesus Christ as it’s personal lord and savior. This, combined with the utter disrespect directed towards Muslims—by referring to them as “Hajis”, or calling them “Haji” instead of their names—by many of my fellow service members (sometimes candidly; other times, not so much) made it painfully clear that there were many who believed that we were Christian soldiers fighting in a Christian crusade. The use of the word “crusade” by then President Bush, only cemented this idea in the minds of the faithful. The idea that this was a crusade was now beyond criticism because it was endorsed by our president.

Meanwhile for the nonbelievers in the Army, the walls began closing in. After 9/11, I noticed a surge in the level of religiosity of my fellow service members, and the level of religious discrimination increased as well. Our unit started having “Chaplain’s Runs”. This consisted of troops running in formation with the chaplain in front, leading the formation. The chaplain had his own guidon too, with a great big ‘ol cross right in the middle; which was carried throughout the duration. The runs were mandatory and they were opened and/or closed with a prayer. I once had a chaplain call on me to lead the closing prayer… I suspect that this was due to my reputation (it wasn’t a secret that I was a non-believer). He couldn’t compel me to lead the prayer however; I refused (in front of the entire unit). This was just another form of harassment. There were many times, when good-intentioned Christians approached me, wanting to talk about my faith, God, Jesus, etc. And many times I had to tell them that I wasn’t interested—and most of the time I had to remind them that my position hasn’t changed since the last time I told them I wasn’t interested. The kind of reputation I had wasn’t the kind that you’d want while serving in this Army; I was pretty much considered “fair game”. I saw this very thing happen to a few other people too.

So much for the separation of church and State. The U.S. Armed forces are government entities, so this mix of religion and government is illegal, yet, when trying to argue this with your average uneducated soldier, you’ll usually run into the response “But America is a Christian Nation!”. At that point you just need to walk away… I rarely did this though, and it only caused me stress.

The purpose of this post is to inform anyone who reads it that the Army has a serious problem—it has been taken over by extremists. Overzealous Evangelicals and Dominionists who believe the literal word of the Bible—but they have no problem with picking and choosing which passages to follow and which to ignore either. Any part of the Bible that supports their goals is taken at it’s word while other parts might as well not exist. This mentality isn’t limited to just the enlisted ranks or just the commissioned ranks—it’s everywhere. From the lowest ranking private, to the highest ranking officer, you can see it’s influence; you don’t even have to look very hard.

In closing, I’d just like to say that I’m proud of my service. I had plenty of good times, plenty of bad times, and many, many weird moments that seemed defy all logic, throughout my service from 1998 – 2004. I’m just hoping that the Army can rid itself of the fundamentalists who have infiltrated it’s ranks. We claim to be fighting against extremists in our “War on Terror”, but if we are to be successful in defeating extremism elsewhere, we need to defeat it within ourselves. There is no difference between extremists killing in the name of Jesus and extremists killing in the name of Allah.

Further Reading (in no particular order):

http://www.harpers.org/archive/2009/05/0082488 **added 4/12/2011**

http://donklephant.com/2009/05/04/why-religion-and-military-dont-mix/

http://english.aljazeera.net/news/asia/2009/05/2009542250178146.html

http://www.nytimes.com/2008/04/26/us/26atheist.html

http://www.haleyassoc.com/mrffboard/viewtopic.php?p=376&sid=6909b77832f1e4e8011b378d460b931a

http://pluralism.org/research/profiles/display.php?profile=73495

R.I.P. Larry E. Hudson — January 16, 1960 – April 22, 2009

larry-e-hudson_small

I believe that this picture is symbolic of who you were; a hard worker and a highly skilled craftsman—among the best actually. (And I’m not just saying that out of bias). Standing there in your overalls, working on an unfinished house, and of course, smoking a cigarette. You’ll always be present in our memories and in our hearts, but we will miss you greatly, dad.