Installation of Always Encrypted Certificate - CSOIreland/PxStat GitHub Wiki

Home / Installation / Always Encrypted Certificate

The PxStat Application Always Encrypted Certificate Installation and set up.

Install the Visual C++ Redistributable Package as a prerequisite.

You can download the latest version from the official Microsoft site: (https://support.microsoft.com/en-ie/help/2977003/the-latest-supported-visual-c-downloads).

PreRequisite1

Install OpenSSL for Windows.

Access the links to install OpenSSL binaries for Windows from the following site: (https://wiki.openssl.org/index.php/Binaries).

Install1

Download a version for Windows from the following link: (https://slproweb.com/products/Win32OpenSSL.html).

Install2

Follow the onscreen instructions to install the Win64OpenSSL_Light-1_1_0j.exe and select the option to copy the OpenSSL DLLs to The OpenSSL binaries (/bin) directory (https://slproweb.com/download/Win64OpenSSL_Light-1_1_0j.exe).

Install3

Open the openSSL.exe file.

OpenSSL0

Run the following command:

req -config C:\OpenSSL-Win64\bin\openssl.cfg -days 36525 -x509 -sha256 -nodes -newkey rsa:2048 -keyout AlwaysEncrypted.key -out AlwaysEncrypted.pem.

Enter the relevant information when prompted.

  • Country Name.
  • State of Province Name.
  • Locality Name.
  • Organization Name.
  • Common Name (append AlwaysEncrypted for a quick and visual reference).
  • Email address.

OpenSSL1

  • The AlwaysEncrypted.key and AlwaysEncrypted.pem are created in the OpenSSL-Win64\bin directory.

OpenSSL2

Run the following command to export the certificate to the PFX format for Windows:

pkcs12 -export -out AlwaysEncrypted.pfx -inkey AlwaysEncrypted.key -in AlwaysEncrypted.pem.

OpenSSL3

Enter and Verify the Export Password when prompted.

N.B. Store this Password in a safe place. You will need this Password to import the Certificate later on.

  • The AlwaysEncrypted.pfx file is created in your OpenSSL-win64/bin directory.

OpenSSL4

Copy the AlwaysEncrypted.pfx to your Servers and double-click to install.

N.B. The Always Encrypted Certificate must be installed in both your Database Tier server and Server Tier servers.

  • The Certificate Import Wizard will open. Select the option for Local machine.

InstallCert1

  • Select the previously generated AlwaysEncrypted.pfx file to import.

InstallCert2

  • Enter the Password previously chosen during the export process.

InstallCert3

  • Select the `Automatically select the certificate store based on type of certificate option.

InstallCert4

  • Click Finish to complete the installation of the Certificate.

InstallCert5

Grant IIS access to the private key.

  • Log on the Server Tier server (only).
  • Go to the folder %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys OR C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
  • Grant the read privilege to the IUSR user and IIS_IUSRS group.

image

Top

⚠️ **GitHub.com Fallback** ⚠️