始终加密-创建证书错误Windows Server 2012 [英] Always Encrypted - create certificate error windows server 2012

问题描述

当我尝试使用下面的PS脚本创建证书，列主密钥和列加密密钥时，在Windows 10中效果很好

when i try to create certificate, column master key and column encryption key using the below PS script its works fine in windows 10

Import-Module "SqlServer"
$serverName = "XXX"
$databaseName ="XX"
$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security=true"
$connection = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$connection.ConnectionString = $connStr
$connection.Connect()
$server = New-Object Microsoft.SqlServer.Management.Smo.Server($connection)
$database = $server.Databases[$databaseName] 

$cert = New-SelfSignedCertificate -Subject "Cert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048


$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation "LocalMachine" -Thumbprint $cert.Thumbprint 


$cmkName = "CMK1"
New-SqlColumnMasterKey -Name $cmkName -InputObject $database -ColumnMasterKeySettings $cmkSettings

$cekName = "CEK1"
New-SqlColumnEncryptionKey -Name $cekName -InputObject $database -ColumnMasterKey $cmkName

但在Windows Server 2012中出现错误。如果我删除以下内容：

but getting error in windows server 2012. if i remove the following:

-Subject, -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048 

并使用 -DNSName 只有这样，它才创建列主密钥并在创建列加密密钥时引发错误。

and use -DNSName only then it just create column master key and throw error while create column encryption key.

有人请向我提供适用于Windows Server 2012的正确语法并创建证书，列主密钥和列加密密钥？

someone please provide me correct syntax which works on Windows server 2012 and create certificate , column master key and column encryption key?

推荐答案

请参考使用PowerShell创建自签名证书 > <一小时的部分ef = https://docs.microsoft.com/zh-cn/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted rel = nofollow noreferrer>本文。

要用作始终加密的CMK，证书需要进行特定的配置。

To be used as Always encrypted CMKs, certificates require a specific configuration.

您应该能够创建使用以下命令用作CMK的证书

You should be able to create a certificate to be used as CMK using the following commands

New-SelfSignedCertificate is a Windows PowerShell cmdlet that creates a self-signed certificate. The below examples show how to generate a certificate that can be used as a column master key for Always Encrypted.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:CurrentUser\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048 

# To create a certificate in the local machine certificate store location you need to run the cmdlet as an administrator.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048

这应该与Server 2012一起使用，如果不存在，则必须安装makecert实用程序：

This should work with Server 2012, you will have to install makecert utility if it does not exist:

makecert.exe -n "CN=Always Encrypted Certificate - exported" -pe -sr CurrentUser -r -eku 1.3.6.1.5.5.8.2.2,1.3.6.1.4.1.311.10.3.11 -ss my -sky exchange -sp "Microsoft Strong Cryptographic Provider" -sy 1 -len 2048 -a sha256

这篇关于始终加密-创建证书错误Windows Server 2012的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！