SQL-Server service won’t start after enabling SSL

Maybe you followed this guide to enable SSL for your SQL-server instance, but when you thought you were ready, the service won’t start.

What to do next?

A good guess is that your SQL-Server error log tells you “Unable to load user-specified certificate [Cert Hash(sha1) “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”]. The server will not accept a connection. You should verify that the certificate is correctly installed. See “Configuring Certificate for Use by SSL” in Books Online.

You can find out by logging in to SQL Server Management Studio and expand your server->Management , right-click SQL Server Logs and select View->SQL Server Log. When the Log File Viewer appears, press Filter, under Message contains text enter SSL och check the box Apply filter.

If the line above appears in your log, my guess is that your SQL-Server service account do not have the right to access the certificates keys.

And the solution?

First of all, you need to find out what account runs you SQL-Server service. It probably should be a domain account, but in my case (lab environment) i used NT Service\MSSQLSERVER.

Then, open up MMC and add the Certificate snap-in. (You probably know how, but otherwise it’s in the guide above on how to enable SSL). Locate your certificate, right-click and select All Tasks->Manage Private Keys. Probably,, your SQL-Server service account is missing in that list. If so, click add and locate your service account. If you, like me, are using NT Service\MSSQLSERVER, just select your local server as Location and paste NT Service\MSSQLSERVER into the textbox. Then click OK. In the checkboxes below the accounts, make sure to give the service account the read permission.

Now, go back to Sql Server Configuration Manager and try to start the service again. It should work now!

Leave a Reply

Your email address will not be published. Required fields are marked *