Installation of Always Encrypted Certificate
Home / Installation / Always Encrypted Certificate
You can download the latest version from the official Microsoft site: (https://support.microsoft.com/en-ie/help/2977003/the-latest-supported-visual-c-downloads)
Access the links to install OpenSSL binaries for Windows from the following site: (https://wiki.openssl.org/index.php/Binaries)
Download a version for Windows from the following link: (https://slproweb.com/products/Win32OpenSSL.html)
Follow the onscreen instructions to install the Win64OpenSSL_Light-1_1_0j.exe and select the option to copy the OpenSSL DLLs to The OpenSSL binaries (/bin) directory
(https://slproweb.com/download/Win64OpenSSL_Light-1_1_0j.exe)
req -config C:\OpenSSL-Win64\bin\openssl.cfg -days 36525 -x509 -sha256 -nodes -newkey rsa:2048 -keyout AlwaysEncrypted.key -out AlwaysEncrypted.pem
- Country Name
- State of Province Name
- Locality Name
- Organization Name
- Common Name (append
AlwaysEncryptedfor a quick and visual reference) - Email address
pkcs12 -export -out AlwaysEncrypted.pfx -inkey AlwaysEncrypted.key -in AlwaysEncrypted.pem
N.B. Store this Password in a safe place. You will need this Password to import the Certificate later on.
N.B. The Always Encrypted Certificate must be installed in both your Database Tier server and Server Tier servers.
- The
Certificate Import Wizardwill open. Select the option forLocal machine.
- Select the previously generated
AlwaysEncrypted.pfxfile to import.
- Enter the
Passwordpreviously chosen during the export process.
- Select the
Automatically select the certificate store based on type of certificateoption.
- Click
Finishto complete the installation of the Certificate.
- Log on the Server Tier server (only)
- Go to the folder
%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeysORC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys - Grant the
readprivilege to theIUSRuser andIIS_IUSRSgroup
