Blog Post

SQL Server Support Blog
2 MIN READ

SQL2019 certificate import error "selected certificate name does not match FQDN of this hostname"

YueJ_7's avatar
YueJ_7
Icon for Microsoft rankMicrosoft
Jul 29, 2020

Recently, I tried to use the SQL Server 2019 import certificate feature in configuration manager, however, when I import by the pfx file, it prompted me errors at the last step as below:

Errors or Warnings for certificate:C:\Users\Administrator.CONTOSO\Desktop\certtest.pfx

-----------------------

            The selected certificate is a self signed certificate. Proceeding with this certificate isn't advised

Error:

            The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server

            Certificate name: Contoso-DC-CA

            Computer name: Node1.Contoso.lab

Error:

            The selected certificate  does not have the KeySpec Exchange property. This property is required by SQL Server to import a certificate.

Import error: 0x2, Windows Native Error: 0x80092004

The selected certificate does not contain server authentication key usage property. This property required to import certificate to SQL Server.

 

Actually I have configured the CN the same as my node FQDN, and 'Contoso-DC-CA' was the issuer's name, below is the CheckSQLSSL tool running result:

Store: Local Machine - Personal (CERT_SYSTEM_STORE_LOCAL_MACHINE)

**************************************

    > CERT =>Node1.Contoso.Lab

    >

OK  > Subject name: Node1.Contoso.Lab

      FQDN:         Node1.Contoso.lab

OK  > AT_KEYEXCHANGE is set

OK  > Time stamp is valid

OK  > Server Authentication 1.3.6.1.5.5.7.3.1

OK  > Friendly name: Node1.Contoso.Lab

 

That's strange, so I begin to think of where the certificate name get from code, after debugging I found when initialize the certificate object, the certificate name has already been the issuer's name:

    [+0x224] m_strCertname    : 0x8054f88 : "Contoso-DC-CA" [Type: wchar_t *]

    [+0x228] m_bProcessedSans : 0 [Type: int]

So what makes it get the issuer's name? After checking the certificate generate process again, I found it was due to an option during export certificate. When you export a certificate to file, "Include all certificates in the certification path if possible"  is checked by default, if you check this the exported file will include certificate chain, the root cert's CN was the CA's name, that's why the certificate name always shown as the CA's name. 

 

 

This option is not notable because it's a default option,  you may forget to uncheck it. How do I find it?  I just tried to import this .pfx file in certmgr.msc, and import the pfx here again, then I found 2 certs were imported, one is the root cert, one is the cert I applied. 

 

So the solution is easy, just uncheck the option and export the pfx file again, you will get it succeeded 🙂

Published Jul 29, 2020
Version 1.0
SQL 2019

2 Comments

  • PatrickAndre-4710's avatar
    PatrickAndre-4710
    Copper Contributor
    Feb 18, 2022

    How could it be possible to have the certificate name the same as the computer name if you try to import the same certificate on the nodes of the cluster, using the import option of SQL Server Configuration Manager 2019 ? I use the AO listener FQDN as CN and in the alternative DNS, I type the name of the cluster nodes but still SQL Server Configuration Manager 2019 complaints with these errors:


    Error:
    The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server
    Error:
    The selected certificate does not have the KeySpec Exchange property. This property is required by SQL Server to import a certificate.

  • Scott Mickelson's avatar
    Scott Mickelson
    Copper Contributor
    Jun 10, 2021

    Why are we only able to use SHA256 with self-signed, but have to use SHA1 when rolling a CA Cert? We're still forced into using Legacy CSP in 2021.