Issuing a certificate for a clustered service

8 views
Skip to first unread message

Mike Leone

unread,
Sep 17, 2025, 2:32:45 PM (11 days ago) Sep 17
to NTSysAdmin
So we run some SQL Server clusters. Now I've had a request to issue a cert for one of them. Following this site


"If you would like to use encrypted connections in a clustered environment then you should have a certificate issued to the fully qualified DNS name of the failover clustered instance and this certificate should be installed on all of the nodes in the failover cluster."

That's fine, I can figure out how to do that part of it. But here's my question: should this cert have the FQDN of each node as a SAN? I'm assuming so, since the clustered role can fail over to each node.

Anybody have a cert on a SQL cluster? Anything I've missed?

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

James Iversen

unread,
Sep 17, 2025, 3:27:52 PM (11 days ago) Sep 17
to ntsys...@googlegroups.com
Pretty sure you create a cert with the cluster name as the subject. Then add SAN for each node. If you’ll want to get fancy, add IP addresses. Cheers
Sent from my iPhone

On Sep 17, 2025, at 2:32 PM, Mike Leone <tur...@mike-leone.com> wrote:


--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgkrtQxL%2Bs3mk5Pv6ezD3Z1E%3DtD4zdAEnYkqR1EaJVMBg%40mail.gmail.com.

Mike Leone

unread,
Sep 17, 2025, 4:02:10 PM (11 days ago) Sep 17
to ntsys...@googlegroups.com
Did that. Put the cert in the personal store of each node. Added the thumbprint to the registry, as the docs say.

And tried failing the role to the other node. Failed. Only way to get it to come back was to delete the cert and thumbprint. Then the role came back online.

It may have been the thumbprint was in the wrong registry hive, I don't know. I'll try tomorrow - I have a test SQL cluster I can play around with. 

Philip Elder

unread,
Sep 17, 2025, 4:10:42 PM (11 days ago) Sep 17
to ntsys...@googlegroups.com

Is the certificate setup behind a trusted CA or self-issued?

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

Mike Leone

unread,
Sep 17, 2025, 4:25:56 PM (11 days ago) Sep 17
to NTSysAdmin


     

On Wed, Sep 17, 2025, 4:10 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

Is the certificate setup behind a trusted CA or self-issued?


Yeah, we run out own CA, and the riot and intermediate CA certs are pushed to all domain members via GPO. When I imported the cert, I checked, and it said it was valid, so it saw the whole chain properly.

Philip Elder

unread,
Sep 17, 2025, 4:29:44 PM (11 days ago) Sep 17
to ntsys...@googlegroups.com

Was the null fixed in the registry as per the article?

Mike Leone

unread,
Sep 17, 2025, 6:30:25 PM (11 days ago) Sep 17
to ntsys...@googlegroups.com
On Wed, Sep 17, 2025 at 4:29 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

Was the null fixed in the registry as per the article?


Yes. On both nodes. I'll try it again tomorrow, with a different cluster, and different cert.


James Iversen

unread,
Sep 17, 2025, 6:58:56 PM (11 days ago) Sep 17
to ntsys...@googlegroups.com
Also verify spn is not playing dirty tricks on you. 
Sent from my iPhone

On Sep 17, 2025, at 6:30 PM, Mike Leone <tur...@mike-leone.com> wrote:


Reply all
Reply to author
Forward
0 new messages