SSL Certificate & Availability Group Question

Copper Contributor

Hello-

I have the below SSL AG question:

I have 4 servers below and would like to confirm my thought is correct by ordering 4 separate SSL certificates *with each separate SQL instance name* or order 1 with only the AG name and import the SSL certificate to each individual SQL instance.

AGSQLPROD_AG (AG Name)

-        SQLPRODServer1 (primary)

-        SQL PRODServer2(Secondary

-        SQLPRODServer1DR (DR Site)

-        SQLPRODServer2DR (DR Site)

My thought is that since the AG listener will failover to any of the nodes below, the DNS should take care of any connection issues, therefore I should not create any SSL certificates with the AG name and instead create 4 SSL certificates with the physical SQL instance names.

If my thought correct, ordering 4 separate SSL certificates using the SQL instance names and NOT the AG name?

 

Any input is greatly apricated!

 

Thanks

2 Replies

@Mike_Miller1535 

 

Hi, Craig.

 

It's been a very long time since I've set up AlwaysOn, but from memory, I chose a different route for the certificate.

 

I used a single certificate using the following configuration:

 

Subject name
  • Availability group FQDN
SAN
  • Availability group FQDN
  • The FQDN of every member

 

So, for example, if I have an Availability Group FQDN of "sqlag.robertsonpayne.com" with three members (sql01.robertsonpayne.com to sql03.robertsonpayne.com) then the certificate request would feature:

 

Subject name
  • sqlag.robertsonpayne.com
SAN
  • sqlag.robertsonpayne.com
  • sql01.robertsonpayne.com
  • sql02.robertsonpayne.com
  • sql03.robertsonpayne.com

 

This is a pretty standard configuration for a certificate and made the ongoing administrative overhead (technical and financial) a little easier to keep on top of.

 

Cheers,

Lain

Thanks Lain for the feedback much apricated!