I'm using MySQL 5.7 and I want to set up SSL to force the client to use a cert. This cert is a self-signed cert that I generate. I have the cert for both server and client being: - CA - cert - key Where the CA has the cert for server and client. I then configured the config file (mysqld.conf) to use the cert: [mysqld] ssl ssl-ca=/database/mysql/ssl/ca-cert.pem ssl-cert=/database/mysql/ssl/master-public.pem ssl-key=/database/mysql/ssl/master-private.pem And run the command to enforce it: GRANT ALL PRIVILEGES ON database TO 'user'@'192.168.10.10' IDENTIFIED BY 'password' REQUIRE SSL; I can see SSL is enabled and it's picking up the right files running the command: SHOW VARIABLES LIKE '%ssl%'; However, from the client machine (192.168.10.10. in this example) I can connect via command line without specifying any cert and it just connects. I can see the connection is using SSL with: mysql> \s SSL: Cipher in use is DHE-RSA-AES256-SHA But the idea is to allow t he connection only if I use the certs. Is there a way to enforce it to make sure it won't connect without specifying the cert ? So I can configure the application to use it and make sure other applications wouldn't access it.

>Unable to load user-specified certificate [Cert Hash(sha1) "SOMERANDOMHASH"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online. I am getting this error even though it's installed. https://support.dh2i.com/docs/kbs/dxenterprise/configure-ssl-certificates-for-microsoft-sql-server-with-dxenterprise/ I even followed both methods to install it, one through pfx and the other with snap-in, and then modified the regedit entry before restarting MSSQL through the SQL Server Configuration Manager, but it won't restart. Is there a reason for this and are there ways to investigate what's going on? I installed on production, but it doesn't work on the staging environment.

The question is based on having to deal with lots of automated processing (testing, mostly). As it stands, all the schemas used have the same well known password, which is stored in lots of configuration files, which is bad from a security perspective. Using encrypted passwords does not really cut it. So the question is: Does Oracle DB allow the use of client certificates for authentication?

Recently, I was asked to apply SSL certs to SQL. After a bit of research, I found an article to add the server cert to SQL using the SQL Server Configuration Manager. When the server cert expires our PKI admin has it to auto update within the system via powershell script, our server certs are generated via MS CA and the name of the cert remains consist ex Server1.domain.crt - which i use in the SQL Cert settings My question, when the cert expires and is replaced will it also be reflected in SQL? If not is there a way to automate updating to the new cert?

I have a machine which could connect to an MS SQL Server in the past. I have SSMS installed and the connection was possible when I activated TrustServerCertificate checkbox in SSMS. I could connect and see databases and tables and execute statements etc... Later I tried to scaffold models with entity framework with the command: dotnet ef dbcontext scaffold "Server=xxx;Database=yyy;User Id=zzz;Password=abcd;TrustServerCertificate=true;" Microsoft.EntityFrameworkCore.SqlServer --table xxx.yyy There was a prompt which said i could create or install (I cant remember which it was) a certificate. I accepted the prompt and after that the connection is not possible anymore. Even with SSMS the connection is not possible anymore. I think entity framework or the machine has created a certificate and now the connection is not possible because the created certificat is not trusted by the sql server. How do i get the connection working again? If i try to connect via SSMS i get the message: > > Cannot connect to xxx. > > ------------------------------ ADDITIONAL INFORMATION: > > A connection was successfully established with the server, but then an > error occurred during the login process. (provider: SSL Provider, > error: 0 - The certificate chain was issued by an authority that is > not trusted.) (Microsoft SQL Server, Error: -2146893019) > > For help, click: > https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver--2146893019-database-engine-error > > ------------------------------ > > The certificate chain was issued by an authority that is not trusted > > ------------------------------ If i activate trust server certificate the following message is shown: > Cannot connect to xxx. > > ------------------------------ ADDITIONAL INFORMATION: > > Login failed for user 'zzz'. (Microsoft SQL Server, Error: > 18456) > > For help, click: > https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-18456-database-engine-error > How can i remove this certificate? Where is it stored on the machine? How can i connect again? I have no acces to the remote SQL Server. I did not find any certificate in "computer certificates" or "user certificates" on the windows machine which may be indicating that this was the created certificate. There are so many installed certificates on this machine. Thanks in advance

I'm trying to perform a restore of a database from a different server onto my localhost server .That database is encrypted (the bak file ) ,so I have to decrypt it ,that's fine I have all the cert files and the password ,but for some reason I'm still getting the following error : The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it. This is the code I'm executing: CREATE CERTIFICATE [Certificate1] FROM FILE = 'C:\Location of the certs' WITH PRIVATE KEY ( FILE = 'C:\Location of the certs' , DECRYPTION BY PASSWORD = 'password' ); PS. I'm no expert at backups and restores .

Using SQL Server 2017 Developer Edition The command I'm using is: >New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName host.doman.com -KeySpec KeyExchange -FriendlyName SQLCert The error message is: >New-SelfSignedCertificate : A parameter cannot be found that matches parameter name 'KeySpec'. My powerShell version is:

PS C:\Windows\system32> $PSversionTable

Name                           Value
----                           -----
PSVersion                      4.0
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.42000
BuildVersion                   6.3.9600.18773
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion      2.2

I can not find detailed information about SQL Server self-signed certificate. I thought that the cert is generated with new date every time restart happens. ChatGPT told me that this certificate is only generated when installation happens. Is that true or he is hallucinating? Does anybody know will it be regenrated when expires? And for what period is it issued? 10 years? How to check that information? **EDIT:** Sorry, I wasn't clear enough. I'm not talking about certificates that are generated inside SQL Server. I'm talking about the certificate that is used to encrypt traffic between the client and the SQL server. If you don't set your own certificate in SQL Server Configuration Manager, then self-singed is used.

Spanking brand-new installations of: - Visual Studio 2022 Community (VS) - SQL Server 2019 Dev (SQL) - SQL Server Management Studio v18.10 (SSMS) There are no other Visual Studio or SQL Server instances or installations. I can look at my local SQL instance using SSMS but not SQL Server Profiler. I am using Server Name "." and Windows Authentication in both cases. Profiler is being launched both in SSMS and directly launched (in administrative mode or not), with the same results: SQL-related services are in these states (enabling SQL Server Browser has no effect): "Trust server certificate" does not help. I suspect the provider is extremely sloppy about the root cause of this response. (Same system environment as https://stackoverflow.com/posts/70805318/)

I'm trying to configure a mysql server for secure remote connections over TCP/IP using SSL. The server mysql runs on has a domain name associated with it which i have requested a certificate for from Letsencrypt. I have copied all the letsencrypt certificate files to /var/lib/mysql and changed user and group ownership to mysql so all the files are readable by mysql. I set up the SSl configuration as follows:

ssl_ca=chain.pem
ssl_cert=cert.pem
ssl_key=privkey.pem
require_secure_transport=1

My problem now is that mysql keeps saying it cannot verify the SSL certificate because it cannot get issuer certificate. The full error message: [Warning] [MY-013414] [Server] Server SSL certificate doesn't verify: unable to get issuer certificate OS: Ubuntu 22.04.1 LTS MySQL Version: 8.0.31-0ubuntu0.22.04.1 (version 8, basically) I've tried using the following configuration and got the same result

ssl_ca=fullchain.pem
ssl_cert=fullchain.pem
ssl_key=privkey.pem
require_secure_transport=1

And

ssl_ca=fullchain.pem
ssl_cert=cert.pem
ssl_key=privkey.pem
require_secure_transport=1

I need help with getting rid of the error hilighted above. MySQL seems to work fine with its own self signed certificate files though, only showing a warning that the ca certificate is self signed when i use that.

In SQLServer 2019, is there a way to install multiple SSL certificates in parallel? I have the following situation: The division the server belongs to was sold and therefore new DNS aliases were registered, everything that was called *.oldcompany.com now has also a new DNS alias *.newcompany.com. Our SQL-Server has now the following names, all pointing to the same server/instance: | Old Company | New Company | | ------------------- | ------------------- | | app1.oldcompany.com | app1.newcompany.com | | app2.oldcompany.com | app2.newcompany.com | | app3.oldcompany.com | app3.newcompany.com | So far that's straight forward, no issue there, let's request an SSL certificate that contains all these DNS names as Subject Alternative Name... but now comes the tricky bit: For the old names the old company is in charge, for the new names the new one, both having their own different CAs and certificate chain, so I end up with one certificate for the DNS aliases app1.oldcompany.com, app2.oldcompany.com and app3.oldcompany.com and another one for app1.newcompany.com, app2.newcompany.com and app3.newcompany.com. I managed to install the certificate of the new company using SQLServer 2019 Configuration Manager and if the connection string contains one of the new DNS aliases everything works fine, both options Encrypt=False or Encrypt=True can be used without the need for TrustServerCertificate=True, but if the connection string contains an old alias, Encrypt=True only works in conjunction with TrustServerCertificate=True. Is there a way to register both certificates?

I'm simulating the situation where I take a backup from instance **A** and restore it on instance **B**. I followed the doc to [Backup to Disk with Encryption](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/create-an-encrypted-backup?view=sql-server-ver15#backup-to-disk-with-encryption) . Since I'm using only my desktop to simulate the whole process, after taking the backup of the database I took a backup of the certificate that was used as follows: BACKUP CERTIFICATE MyTestDBBackupEncryptCert TO FILE = N'C:\Databases\MyTestDBBackupEncryptCert.cert'; Then I dropped the MyTestDBBackupEncryptCert certificate and the database from my instance to simulate it is now instance **B**. I restored the certificate using the command from the [Creating a certificate from a file](https://learn.microsoft.com/en-us/sql/t-sql/statements/create-certificate-transact-sql?view=sql-server-ver15#b-creating-a-certificate-from-a-file) doc with a slight modification where I commented the lines related to the PRIVATE KEY and DECRYPTION options since the certificate was encrypted by the MASTER KEY (well, that's what I understood from the first link): CREATE CERTIFICATE MyTestDBBackupEncryptCert FROM FILE = N'C:\Databases\MyTestDBBackupEncryptCert.cert' --WITH PRIVATE KEY (FILE = 'c:\Shipping\Certs\Shipping11.pvk', --DECRYPTION BY PASSWORD = 'sldkflk34et6gs%53#v00'); GO The certificate was created, but when I try to restore the database, I get this error: > Msg 15507, Level 16, State 30, Line 33
A key required by this > operation appears to be corrupted.
Msg 3013, Level 16, State 1, Line > 33
RESTORE DATABASE is terminating abnormally. The documentation doesn't say how to get the private key needed to properly restore the certificate. How do I get it from SQL Server?

I am connecting to a GCP Cloud SQL instance using a client certificate issued by the GCP Cloud SQL service. When I created the client key-pair GCP Cloud SQL gave me three files: a server certificate, a client private key, and a client certificate. I was able to successfully connect using MySQL Workbench where I set the "SSL" setting to "Require and Verify CA". When I look at the server certificate it says the issuer and subject are, respectively,

dnQualifier = b35cbfcb-fc96-47d4-6536-1f0e3313eeaf, CN = Google Cloud SQL Server CA, O = "Google, Inc", C = US
dnQualifier = b35cbfcb-fc96-47d4-6536-1f0e3313eeaf, CN = Google Cloud SQL Server CA, O = "Google, Inc", C = US

When I look at the client certificate it says the issuer and subject are, respectively,

dnQualifier = 6772fe8a-0e7c-4803-7fc5-67dbeaaba89c, CN = Google Cloud SQL Client CA certdb, O = "Google, Inc", C = US
CN = certdb, O = "Google, Inc", C = US

I thought the client certificate had to be signed by the server certificate but clearly that is not the case. Can someone explain how the TLS connection works when the client certificate is not signed by the server certificate?

Some background: Question is follow up of this question: https://dba.stackexchange.com/questions/135717/is-there-a-way-in-sql-server-to-make-a-table-only-able-to-insert-by-trigger/135725#135725 I'm trying to achieve what the answer to the original question above stated (i.e Trigger on the trigger table to have access to DMVs): > ** I do have mostly-complete example code (about 75% done) for a Trigger on the Audit table that would disallow updates from anything > but code signed by the Certificate, but ran out of time to complete > it. The concept is that a lock is taken on the Certificate during the > process, and the lock entry includes the Certificate ID. You can > verify that the Certificate ID is the desired Certificate and ROLLBACK > if it isn't or no Certificate is used in the Transaction. The problem > was that VIEW SERVER STATE is needed to use sys.dm_tran_locks. > However, that is a fairly easy problem to solve as it can be granted > via a Certificate-based Login, which can even be the same Certificate. > In that case, the Certificate can be backed-up and restored into > master for the purpose of creating the Login from it. Then just grant > that Login the VIEW SERVER STATE permission, and finally sign the > Trigger on the Audit table with that same Certificate (already in that > DB as it was used to sign the Trigger on the base table). The closest answer to above problem can be found here by the same author: https://sqlquantumleap.com/2018/02/15/safely-and-easily-use-high-level-permissions-without-granting-them-to-anyone-server-level/ The difference is that my base table of the trigger is on another schema, not on .dbo as suggested in the original answer, and I suspect this might be the culprit. In the link to the website, eventually login is not mapped to a db certifice user after the full setup but the steps for multiple schemas may (or may not) require the login to be mapped to a certificate db user and cannot be unchecked. Creating another certificate did not help either. Still the same error message: The module being executed is not trusted. Either the owner of the database of the module needs to be granted authenticate permission, or the module needs to be digitally signed. Have been struggling with it for the past few days so please do not vote for close and let me explain further if something is not clear. Code block to setup the second trigger on the trigger table (most of which provided from the links above thanks to Solomon Rutzky): SET NOCOUNT, XACT_ABORT ON CREATE CERTIFICATE Cert ENCRYPTION BY PASSWORD = 'StrongPa$$word' WITH SUBJECT = '"SUBJECT"' GO CREATE USER Cert_User FROM CERTIFICATE Cert GO CREATE SCHEMA [LogTrigger] AUTHORIZATION [Cert_User]; GO EXEC(N'CREATE TRIGGER [LogTrigger].[AuditINSERT] ON [LogTrigger].[BaseTriggerTable] AFTER INSERT AS SET NOCOUNT ON; DECLARE @NetAddress NVARCHAR(50); SELECT @NetAddress = conn.[client_net_address] FROM sys.dm_exec_connections conn WHERE conn.[session_id] = @@SPID; PRINT ''Audited Net Address: '' + @NetAddress; '); ADD SIGNATURE TO [LogTrigger].[AuditINSERT] BY CERTIFICATE [Cert] WITH PASSWORD = 'StrongPa$$word'; DECLARE @Cert NVARCHAR(4000) = CONVERT(NVARCHAR(4000), CERTENCODED(CERT_ID(N'Cert')), 1); EXEC (N'USE [master]; CREATE CERTIFICATE [Cert] FROM BINARY = ' + @Cert); EXEC (N'USE [master]; CREATE LOGIN [Cert_ViewServerState] FROM CERTIFICATE [Cert]; GRANT VIEW SERVER STATE TO [Cert_ViewServerState]; ');

We're implementing SQL Server Always Encrypted in our 2019 environment. We've done several successful POC's over the last few months, but in moving the solution to Prod, I was expecting to use a Public Trusted CA for the certificates. But now, combing back over approximately 10 AE tutorials on the web, including the official Microsoft instructions, I've noticed that using a Public Trusted CA is never even mentioned...ever...at all. There's even an article on here asking if using a Trusted CA cert even adds any benefit, and it's suggested that it does not. I'm trying to satisfy all of our security initiatives that are being rolled out company wide, so I guess I'm trying to find some sort of standard answer I can point to. I've been talking about how self signed certs are subject to man-in-the-middle attacks, but I think I'm beginning to realize this is only for SQL connections being made, and any data that flows through that connection (because in the tables the data is unencrypted, and the SSL encrypts it). But with AE, the data in the database is already simply an encrypted string. So does the nature of an Always Encrypted solution, if done where the self signed certs are never made or live on the same server that holds the data, preclude any MIM attacks? Is simply using self signed certs the accepted "standard" way of doing it? Thinking it through, I believe the answer is yes, but would just like some sort of "official" answer lol.

I am setting up a SQL Server Availability Group using the commands provided in the Microsoft documentation. The process involves creating a certificate, backing it up with the private key, and restoring it on all replicas for endpoint creation and authentication. However, I would like to use my custom self-signed certificate and private key for this purpose. I have generated my certificate and private key using openssl.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout root_ca.key -out root_ca.crt -subj "/CN=RootCA/O=MyOrganization"

Creating the certificate:

CREATE CERTIFICATE server_certificate
FROM FILE = '/var/opt/mssql/root_ca.crt'
WITH PRIVATE KEY (FILE = '/var/opt/mssql/root_ca.key');

When I attempt to use my certificate generated by OpenSSL, I encounter the error: > The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it. What steps should I follow to successfully use my certificate in this scenario? Any insights or guidance on this matter would be greatly appreciated.

Environment: - Oracle Enterprise Manager Cloud Control 13.4 - OMS console with third party certificate - Secured My situation is the following: 1. I am new in this client and apparently the former DBA added a third party certificate in the OMS console, which is near to expire. 2. I've been reading the documentation but I can't find the keystore or the wallet associated to this certificate. So far, I checked the following [oracle@hcbae2p01ora022 bin]$ $OMS_HOME/bin/emctl status oms -details Oracle Enterprise Manager Cloud Control 13c Release 4 Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : hcbae2p01ora022.hcbe.corp HTTP Console Port : 7788 HTTPS Console Port : 7803 HTTP Upload Port : 4889 HTTPS Upload Port : 4903 EM Instance Home : /u01/app/oracle_em/gc_inst/em/EMGC_OMS1 OMS Log Directory Location : /u01/app/oracle_em/gc_inst/em/EMGC_OMS1/sysman/log OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Console URL: https://hcbae2p01ora022.hcbe.corp:7803/em Upload URL: https://hcbae2p01ora022.hcbe.corp:4903/empbs/upload WLS Domain Information Domain Name : GCDomain Admin Server Host : hcbae2p01ora022.hcbe.corp Admin Server HTTPS Port: 7102 Admin Server is RUNNING Oracle Management Server Information Managed Server Instance Name: EMGC_OMS1 Oracle Management Server Instance Host: hcbae2p01ora022.hcbe.corp WebTier is Up Oracle Management Server is Up JVMD Engine is Up BI Publisher Server Information BI Publisher Managed Server Name: BIP BI Publisher Server is Up BI Publisher HTTP Managed Server Port : 9701 BI Publisher HTTPS Managed Server Port : 9803 BI Publisher HTTP OHS Port : 9788 BI Publisher HTTPS OHS Port : 9851 BI Publisher is locked. BI Publisher Server named 'BIP' running at URL: https://hcbae2p01ora022.hcbe.corp:9851/xmlpserver/servlet/home BI Publisher Server Logs: /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/ BI Publisher Log : /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/bipublisher/bipublisher.log As you can see for the information above, the console is secured in port 7803. I thought that the certificates should be stored in a wallet, but I can't find the wallet anywhere. I neither was able to find any command in emctl or in emcli that can show me where this certificate is stored. What I know is that the certificate is there, as I used the secdiag option of emctl [oracle@hcbae2p01ora022 bin]$ $OMS_HOME/bin/emctl secdiag openurl -url https://hcbae2p01ora022.hcbe.corp:7803/em Oracle Enterprise Manager Cloud Control 13c Release 4 Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved. Log file: /tmp/OpenPage_2023_02_21_13_45_115472876152891123503.log Opening page: https://hcbae2p01ora022.hcbe.corp:7803/em Using non-validating trust manager; all certificates will be blindly accepted. Proxy server is not set Using protocol: TLSv1 Negotiated protocol: TLSv1 Getting the certificate chain Details of cert# 1 in chain: Subject: EMAILADDRESS=xxxxxxx, CN=hcbae2p01ora022.hcbe.corp, OU=xxxxxxx, O=xxxxxxxxxx, L=xxxxxxxxxxxxxx, ST=xxxxxxxx, C=xx Issuer: CN=XXXXX CA, DC=cloud, DC=corp Valid from: Tue Mar 23 13:54:18 UTC 2021 Valid till: Thu Mar 23 13:54:18 UTC 2023 Serial#: 914345119400343461451536535824392411922746991 Public key: Sun RSA public key, 2048 bits modulus: 231855705770066152570314131577369954637603242446759578989206803754751294824351565914129743732110994827544588460966543883605976172129693569117661509357921588815183478850378089638600314229871995314771805178017341640817875936605315833364302707372595554647453833532393376815757155001416722179412428142624866504902792330046510191621551136336433918248638504659645288726326144907300691458403587891238454297424723893811783631933359920866785373444400398845738032568684675766778615996191586165668755883030522959798859689120112193205210100146390085495955132802650583693008692078856106184239283369895227655357520072938286 public exponent: 65537 Signature algorithm: SHA256withRSA Following headers are present in the response: Date : Tue, 21 Feb 2023 13:45:12 GMT Vary : Accept-Encoding Adf-Context-Id : fd3875f9-7da2-4e9a-bbe1-cdbc60ba6af8-00000002 X-Frame-Options : sameorigin X-ORCL-EMOA : true X-ORACLE-DMS-RID : 0:3:1 X-Content-Type-Options : nosniff, nosniff X-XSS-Protection : 1; mode=block, 1; mode=block X-ORACLE-DMS-ECID : fd3875f9-7da2-4e9a-bbe1-cdbc60ba6af8-00000002 Adf-View-Id : %2Flogon%2Fcore-uifwk-console-login Content-Type : text/html;charset=UTF-8 Cache-Control : no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Response saved at : /tmp/hcbae2p01ora022.hcbe.corp_7803_2023_02_21_13_45_134697786630783685089.html [oracle@hcbae2p01ora022 bin]$ As you can see above, the certificate that allows me to access by https to the OMS console is stored somehow in OMS. But I can't find where exactly. I have tried to check all wallets in the server, but I could not find anything. I'd like to know how can I update this certificate with a new one that I have already in my hands. Is there a way to identify whether this certificate was included using emctl secure createca ? if so, how can I update the certificate stored there ? **UPDATE** Thanks to @Balazs Papp, I was able to find the wallet used by the OMS Console [oracle@hcbae2p01ora022 console]$ pwd /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/keystores/console [oracle@hcbae2p01ora022 console]$ orapki wallet display -wallet pwd Oracle PKI Tool Release 19.0.0.0.0 - Production Version 19.4.0.0.0 Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: EMAIL=xxxxxxxxxxxxx,CN=hcbae2p01ora022.hcbe.corp,OU=xxxxxx,O=xxxxxx,L=xxxxxxxxx,ST=xxx,C=xx Trusted Certificates: [oracle@hcbae2p01ora022 console]$ What I don't get is why it does not appear as a Trusted certificate ? If I copy this wallet to a different location, then I can use orapki to import the new certificate into the wallet, and then use emctl secure console -wallet to renew the certificate ? I have read somewhere that if there is a change in the certificate, such as the email address, you have to do it from scratch. Is that so ?

I have a stored procedure in Database 1 that updates couple of tables in Database 1 and Database 2 To avoid granting calling login/user permissions to do table updates, I would like to use *code signing* Created certificate in the master database, and created login from this certificate Then I've created users for this certificate-mapped login, in Database 1 and Database 2, and granted them permissions to do table updates When I tried to run below T-SQL: use [Database 1] add signature to MyProcedure by certificate MyCertificate It throws error: >Msg 15151, Level 16, State 1, Line 168 Cannot find the certificate 'MyCertificate', because it does not exist or you do not have permission. Then I try use [master] add signature to [Database1].[dbo].MyProcedure by certificate MyCertificate I am in a sysadmin server role, but it throws: >Msg 15151, Level 16, State 1, Line 168 Cannot alter the object 'Database1.dbo.MyProcedure', because it does not exist or you do not have permission. Question: How can I properly add signature to my stored procedure in Database 1, by certificate that is in the master database ?

I have created a few Certificates (via CREATE CERTIFICATE ) and Asymmetric Keys (via CREATE ASYMMETRIC KEY ) and used them to sign and counter-sign various SQL modules: - Stored Procedures - User-Defined Functions (UDFs) - Triggers - Assemblies Signing was done via ADD SIGNATURE . But now I need to find which Certificates and/or Asymmetric Keys have been used to sign which particular modules.

Below is the error message I see in windows event log. No errors while executing sp_send_dbmail 1) Exception Information =================== Exception Type: Microsoft.SqlServer.Management.SqlIMail.Server.Common.BaseException Message: There was an error on the connection. Reason: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.), connection parameters: Server Name: LAM90DB01, Database Name: msdb Data: System.Collections.ListDictionaryInternal TargetSite: Void OpenConnection(Microsoft.SqlServer.Management.Common.SqlConnectionInfo) HelpLink: NULL Source: DatabaseMailEngine HResult: -2146232832 StackTrace Information =================== at Microsoft.SqlServer.Management.SqlIMail.Server.DataAccess.ConnectionManager.OpenConnection(SqlConnectionInfo connectionInfo) at Microsoft.SqlServer.Management.SqlIMail.IMailProcess.QueueItemProcesser.ProcessQueueItems(String dbName, String dbServerName, Int32 lifetimeMinimumSec, LogLevel loggingLevel, Byte[] encryptionKey, Int32 connectionTimeout) Exception Type: System.ComponentModel.Win32Exception NativeErrorCode: -2146893019 ErrorCode: -2147467259 Message: The certificate chain was issued by an authority that is not trusted Data: System.Collections.ListDictionaryInternal TargetSite: NULL HelpLink: NULL Source: NULL HResult: -2147467259