You need digital certificates to set up transport-layer security. You can obtain certificates from a certificate authority, or you can create them using the Certificate Creation utility (createcert).
Certificate Creation utility
You can use the Certificate Creation utility (createcert), to generate X.509 certificate files using RSA.
Certificate Viewer utility
You can use the Certificate Viewer utility, viewcert, to read X.509 certificates using RSA.
Certificates for server authentication
You can follow the same process to create certificate files for server authentication. In each case, you create an identity file and a certificate file.
For server authentication, you create a server identity file and a certificate file to distribute to clients.
Certificate configurations
The certificate can be self-signed or signed by a commercial or enterprise Certificate Authority.
- Self-signed certificates – Self-signed server certificates can be used for simple setups.
- Enterprise root certificates – An enterprise root certificate can be used to sign server certificates to improve data integrity and extensibility for multi-server deployments.
- You can store the private key used to sign server certificates in a secure central location.
- For server authentication, you can add database servers without reconfiguring clients.
- Commercial Certificate Authorities – You can use a third-party Certificate Authority instead of an enterprise root certificate. Commercial Certificate Authorities have dedicated facilities to store private keys and create high-quality server certificates.