HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Do signed certificates from public certificate authorities add any value for always encrypted?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
certificatepublicanyalwaysencryptedvalueauthoritiescertificatesforsigned

Problem

If I create Always Encrypted columns in Microsoft SQL Server from the SSMS gui, it makes a self signed certificate. Is there any value in making a CSR and paying a certificate authority (or using letsencrypt.org) to make a certificate? Does that chain of trust add and value in this case?

Solution

Certs from trusted CAs (like VeriSign) are used when you need a certificate that must be able to prove its issuer, purpose, validity, etc... Certs for data encryption like Always Encrypted typically do not require such proof since your certs typically don't float beyond your org. I don't know of any use case where you would benefit from using a 3rd party CA cert in an AE deployment. Even when you have strict management/rotation policies, I can't think of any common policy that you can't implement using a corporate issued cert or even a self-signed cert (though the latter will have a bit more manual work).

Context

StackExchange Database Administrators Q#138413, answer score: 3

Revisions (0)

No revisions yet.