We have a customer who reported to us that they were not able to use their certificate even after they did the conversion. They got various errors like below:
Msg 15297, Level 16, State 56, Line 1 The certificate, asymmetric key, or private key data is invalid.
Msg 15474, Level 16, State 6, Line 8 Invalid private key. The private key does not match the public key of the certificate.
After digging and debugging, we learned that it is because the serial number of their certificate was too long. Currently SQL Server only allows serial number up to 16 bytes. But customer’s certificate had 19 bytes for the serial number.
You can check your certificate’s serial number by using certutil.exe –dump option or just use certificate manager (certmgr.msc) and check the property details as shown below. In this example, the serial number is exactly 16 bytes.
Now the question is why customer’s certificate had 19 bytes of serial number? They told me that they generated the certificate using Microsoft Certificate store.
It turned out that you can actually have some control over the serial number through HighSerial as documented in “
Custom CA Configuration
”. If you set it to 0 like ( “certutil -setreg ca\highserial 0” ), you will get 10 byte serial number for future certificate generation (after you configure and restart your certificate service). There are various other options in the document that you can explore and control length and content of your certificate’s serial number.