Blog Post

SQL Server Support Blog
1 MIN READ

Changes to hashing algorithm for self-signed certificate in SQL Server 2017

Venu Cherukupalli's avatar
Jan 16, 2019
First published on MSDN on Nov 08, 2017
Starting with SQL Server 2005, a self-signed certificate is created automatically during the startup to be used for channel encryption. By default, credentials in the login packet that are transmitted when a client application connects to SQL Server are always encrypted using this certificate if a certificate has not been explicitly provisioned for SSL/TLS. Optionally, the self-signed certificate can also be used to enable channel encryption. SSL/TLS connections that are encrypted using a self-signed certificate do not provide strong security, so it is strongly recommended that a certificate obtained from a trusted certification authority be used.

Until SQL Server 2016, the self-signed certificate was created using a SHA1 algorithm. However, SHA1 algorithm and many older algorithms have been deprecated beginning with SQL Server 2016. Refer to this books online article for more information.

Beginning with SQL Server 2017, the self-signed certificate now uses SHA256 algorithm which is more secure compared to SHA1 algorithm. Having said that, we still recommend using a certificate obtained from trusted certification authority to be used for channel encryption.
Updated Jan 16, 2019
Version 2.0
  • Scott Mickelson's avatar
    Scott Mickelson
    Copper Contributor

    Why are we only able to use SHA256 with self-signed, but have to use SHA1 when rolling a CA Cert? We're still forced into using Legacy CSP in 2021.