Create ConfigMgr SQL Server Identification Certificate

ByPrajwal Desai Hours

In this article, I will show you how to create ConfigMgr SQL Server identification certificate, which is useful when you cannot connect to the report server database.

Few days back, I was working on implementing PKI for SCCM, and I encountered an issue related to SQL server certificate in the production environment. While cleaning up the unwanted certificates from the SCCM server, one of my associate accidentally deleted the SQL server identification certificate.

After a few minutes, I noticed that the admins weren’t able to use the Configuration Manager console. The admins encountered the error where the ConfigMgr console was unable to connect to the site database.

The SQL Server, SQL Server reporting services and SQL server agent services stopped automatically. After checking the event viewer logs I checked the certificate store on the machine and noticed that the SQL Server identification certificate was missing.

In this article, I will show you how to create ConfigMgr SQL server identification certificate. I have simulated the same issue in my lab setup, and I am going to show you how to fix resolve it.

SQL Server Identification Certificate Errors

Whenever the SQL Server Identification Certificate is deleted from the SCCM server, you will encounter several errors. Upon checking the event viewer logs, I found Report Server (MSSQLSERVER) cannot connect to the report server database.

Also Read: Fix The report server has encountered a configuration error

spid10s     Unable to load user-specified certificate [Cert Hash(sha1) "BCDDA9DF02E4091B6865B15394DF5FA0F1D9ABF3"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.
spid10s     Error: 17182, Severity: 16, State: 1.
spid10s     TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
spid10s     Error: 17182, Severity: 16, State: 1.
spid10s     TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
spid10s     Error: 17826, Severity: 18, State: 3.
spid10s     Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
spid10s     Error: 17120, Severity: 16, State: 1.
spid10s     SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

What gave me a hint of the missing certificate was this error line: “The server will not accept a connection. You should verify that the certificate is correctly installed“.

Create ConfigMgr SQL Server Identification Certificate
SQL Server Identification Certificate Errors

When I attempted to start the SQL server service and SQL server agent service, I got the below error. Windows could not start the SQL Server (MSSQLSERVER) on the local computer. For more information, review the system event log.

Create ConfigMgr SQL Server Identification Certificate
SQL Server Identification Certificate Errors

The only way to resolve the above errors is to create the SQL Server Identification Certificate.

Also Read: Fix SCCM SQL Server Report Builder Access Error

Create ConfigMgr SQL Server Identification Certificate

Use the following steps to create ConfigMgr SQL server identification certificate:

  • Launch the IIS management console.
  • Select the server and under the IIS section, click on Server Certificates.
Create ConfigMgr SQL Server Identification Certificate
Create ConfigMgr SQL Server Identification Certificate

Right click on the right pane and click Create Self-Signed Certificate.

Create ConfigMgr SQL Server Identification Certificate
Create ConfigMgr SQL Server Identification Certificate

Provide a friendly name to this cert. Choose the certificate to be stored in Personal store. Click OK.

Create ConfigMgr SQL Server Identification Certificate
Specify the friendly name for the certificate

You can now see that the new SQL Server identification certificate has been created.

Create ConfigMgr SQL Server Identification Certificate
New SQL Server Identification Certificate created

Recommended: Install Report Builder for SCCM | Edit SSRS Reports

Assign the SQL Server Identification Certificate

Launch the SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for MSSQLSERVER and click Properties.

Create ConfigMgr SQL Server Identification Certificate
Assign the SQL Server Identification Certificate

Select the Certificate tab and use the dropdown to select the new SQL self-signed certificate you created. You can double-check this by making sure the Issued By field matches the server name. Click OK.

Create ConfigMgr SQL Server Identification Certificate
Assign the SQL Server Identification Certificate

After you have assigned the SQL Server identification certificate, right-click on the SQL Server services and start them. Ensure the state of each service shows Running.

Create ConfigMgr SQL Server Identification Certificate
Start the SQL Server services

This completes the steps to create the SQL Server identification certificate for SCCM. If you have any questions, kindly let me know in the comments section.

Read Next

Avatar photo

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

6 Comments

  1. Is this certificate necessary to be created for SQL server local to the primary server before implementing PKI?

    Reply
  2. Avatar photo siva kamesh says:

    Thank you for!!! Its worked

    Reply

  3. Do I need to install IIS on the SQL server if the SCCM DB is located on a separate, dedicated SQL instance ?

    Reply
  4. Avatar photo Keith VanProoyen says:

    THANK YOU!!! I deleted an expired certificate and caused this issue.

    Reply

  5. Hello Prajwal,

    I migrated the SCCM SQL DB to another server and when i do site maintenance i get below errors. Can i perform the above steps mentioned by you?

    I have standalone primary server and IIS 6.1 and server 2008 R2.
    Destination SQL is 2012

    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.
    *** Failed to connect to the SQL Server, connection type: SMS ACCESS.

    > INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure

    > ERROR: SQL Connection failed. Connection: SMS ACCESS, Type: Secure

    > ERROR: Failed to get SQL Server connection.

    Regards,
    Santhosh B S

    Reply

  6. Hello Prajwal,

    we migrated the SCCM SQL DB to another server and when i tried to do a site maintenance i got error as below

    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection
    *** Failed to connect to the SQL Server, connection type: SMS ACCESS.
    > INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure
    > ERROR: SQL Connection failed. Connection: SMS ACCESS, Type: Secure
    > ERROR: Failed to get SQL Server connection.

    Can i perform the above steps mentioned by you?

    Regards,
    Santhosh B S

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *