Why I am not able to restore TDE DB to Azure SQL MI?

%3CLINGO-SUB%20id%3D%22lingo-sub-1609264%22%20slang%3D%22en-US%22%3EWhy%20I%20am%20not%20able%20to%20restore%20TDE%20DB%20to%20Azure%20SQL%20MI%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1609264%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20running%20into%20an%20issue%20regarding%20restoring%20a%20TDE%20database%20and%20I%20just%20keep%20getting%20the%20%22thumbprint%20not%20found%20error%22.%26nbsp%3B%26nbsp%3BI%20don't%20know%20what's%20causing%20it.%20Here%20are%20some%20details.%20I'm%20hoping%20someone%20can%20help%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CP%3EI%20have%20many%20TDE%20databases%20running%20in%20an%20instance%20of%20SQL%20Server.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ETDE%20certificate%20expired%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ECreated%20a%20new%20TDE%20Cert%20with%20future%20expiry%20date%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EBacked%20up%20the%20new%20TDE%20Cert%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ERotated%20two%20db's%20to%20use%20the%20new%20TDE%20Cert%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ERan%20BACKUP%20DATABASE%20ph***%20(the%20one%20starts%20with%20ph)%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EUploaded%20the%20new%20TDE%20Cert%20to%20Azure%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20attached%20screenshots%20as%20a%20reference.%20First%20screenshot%20shows%20the%20TDE%20cert's%20I%20have%20on%20my%20server%20(one%20expired%20and%20one%26nbsp%3Bnew).%20Second%20screenshot%20shows%20three%20databases%20with%20two%20rotated%20to%20use%20the%20new%20cert.%20and%20their%20thumbprints.%20Third%20screenshot%26nbsp%3Bshows%20the%20error%20when%20I%20tried%20to%20restore%20the%20TDE%20database%20using%20the%20new%20cert.%20The%20thumbprint%20it%20complains%20is%20actually%20the%20old%26nbsp%3Bexpired%20TDE%20cert.%20You%20can%20clearly%20see%20from%20the%20screenshot%20that%20the%20database%20name%20starting%20with%20%22ph%22%20has%20a%20new%20thumbprint%20and%20that%20thumbprint%20starts%20with%20%220x4733%22.%20The%20expired%20TDE%20starts%20with%20%220x90D%22.%26nbsp%3B%26nbsp%3BHere's%20my%20question%3A%20why%20is%20it%20still%20looking%20for%20the%20old%20thumbprint%20when%20I%20tried%20to%20restore%20it%20in%20Azure%3F%20If%20I%20create%20a%20brand%20new%3CBR%20%2F%3Edatabase%20on%20the%20server%2C%20enable%20tde%20to%20use%20the%20new%20cert%2C%20do%20a%20backup%2C%20take%20this%20backup%20to%20Azure%20and%20restore%20it%2C%20it%20works%26nbsp%3BPERFECTLY!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20explain%20what%20I'm%20doing%20wrong%20and%20how%20to%20fix%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1612375%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20I%20am%20not%20able%20to%20restore%20TDE%20DB%20to%20Azure%20SQL%20MI%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1612375%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%3F%26nbsp%3B%20Looking%20for%20some%20help%20...%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello,

 

I am running into an issue regarding restoring a TDE database and I just keep getting the "thumbprint not found error".  I don't know what's causing it. Here are some details. I'm hoping someone can help me.

 

  1. I have many TDE databases running in an instance of SQL Server.

  2. TDE certificate expired

  3. Created a new TDE Cert with future expiry date

  4. Backed up the new TDE Cert

  5. Rotated two db's to use the new TDE Cert

  6. Ran BACKUP DATABASE ph*** (the one starts with ph)

  7. Uploaded the new TDE Cert to Azure

 

See attached screenshots as a reference. First screenshot shows the TDE cert's I have on my server (one expired and one new). Second screenshot shows three databases with two rotated to use the new cert. and their thumbprints. Third screenshot shows the error when I tried to restore the TDE database using the new cert. The thumbprint it complains is actually the old expired TDE cert. You can clearly see from the screenshot that the database name starting with "ph" has a new thumbprint and that thumbprint starts with "0x4733". The expired TDE starts with "0x90D".  Here's my question: why is it still looking for the old thumbprint when I tried to restore it in Azure? If I create a brand new
database on the server, enable tde to use the new cert, do a backup, take this backup to Azure and restore it, it works PERFECTLY!!

 

Can someone explain what I'm doing wrong and how to fix it?

 

Thank you

 

1 Reply

Anyone?  Looking for some help ...