Forum Discussion
SSL configuration for SQL AG setup having 4 replicas and two listners
Good Morning Team,
Can you please guide me for SSL seup with SQL AG listener. We have a platform having 4 AG replicas and one listner having 3 DBs part of AG group. There is a request to have another DB to be added on server which need SSL encryption.
Can we create and configure SSL certificate with existing replicas, listener and choose Option "No forced encryption" and only on client side update config file to use encryption for new database or updating certificate at instance level will make all connection encrypted for existing DBs on existing listener as well ?
4 Replies
- Applying a certificate without "Force Encryption" will let the client decide whether it wants to use encryption or not.
Which means you may start finding encrypted connections to the existing databases as well.SivertSolem Thank you.
Does it means, With new certificate imported to SQL, No force encryption, New client can connect with encryption in connection string and old client can connect without encryption like normal without any change in connection string ?
- Yes, though I'd recommend you test it yourself.
As described in the scenario 2 in this article, where you have not checked the "force encryption" option, only the clients which require encryption needs to be configured for it.
No action is performed on the clients that does not need to use a secure channel.
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/special-cases-for-encrypting-connections-sql-server?view=sql-server-ver16#use-a-certificate-issued-by-an-internal-ca-or-created-by-using-new-selfsignedcertificate-or-makecert
