You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On Azure Arc-enabled SQL Server, Azure automatically rotates certificates for Azure Active Directory. This article explains how the automatic process works and identifies the process specifics for Windows and Linux operating systems.
16
+
On Azure Arc-enabled SQL Server, Azure extension for SQL Server can automatically rotate certificates for Azure Active Directory authentication for service managed certificates. For customer managed certificates, you can follow the steps to rotate the certificate used for Azure Active Directory Authentication.
17
+
18
+
This article explains how automatic certificate rotation and customer managed certificate rotation works and identifies the process specifics for Windows and Linux operating systems.
17
19
18
20
Certificate management depends on whether you manage your own certificates (*customer managed certificates*), or the service manages the certificates (*service managed certificates*).
19
21
20
22
## Prerequisite
21
23
22
-
The functionality described in this article applies to an instance of Azure Arc-enabled SQL Server configured for Azure Active Directory. For instructions to configure such an instance, see:
24
+
The functionality described in this article applies to an instance Azure Arc-enabled SQL Server configured for Azure Active Directory. For instructions to configure such an instance, see:
23
25
24
26
-[Azure Active Directory authentication for SQL Server](../../relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview.md)
25
27
26
28
## Customer managed certificate rotation
27
29
28
-
For customer managed certificate rotation, you create a new version of the certificate in Azure Key Vault. If you don't create the new version yourself, Azure Key Vault automatically rotates the certificate after the certificate lifetime has been met. In Azure Key Vault, you can pick, configure, and choose any percentage for the certificate lifetime period.
30
+
For customer managed certificate rotation:
31
+
32
+
1. Create a new version of the certificate in Azure Key Vault.
33
+
34
+
In Azure Key Vault, you can set any percentage for the certificate lifetime period.
35
+
36
+
When you configure a certificate with Azure Key Vault, you define its lifecycle attributes. For example:
37
+
38
+
- Validity period - when the certificate expires.
39
+
- Lifetime action type - what happens when the expiration approaches, including: automatic renewal, and alerting.
40
+
41
+
For details about certificate configuration options, see [Update certificate lifecycle attributes at the time of creation](/azure/key-vault/certificates/tutorial-rotate-certificates#update-certificate-lifecycle-attributes-at-the-time-of-creation).
42
+
43
+
1. Download the new certificate in `.cer` format and upload it to the app registration in place of the old certificate.
29
44
30
-
After you create the new version, you can download the new certificate in `.cer` format and upload it to the app registration in place of the old certificate.
31
45
32
46
> [!NOTE]
33
47
> For Linux, you need to restart the SQL Server service manually so the new certificate is used for authentication.
34
48
49
+
Once a new certificate is created in Azure Key Vault, the Azure extension for SQL Server checks for a new certificate daily. If the new certificate is available, the extension installs the new certificate on the server and deletes the old certificate.
50
+
51
+
After the new certificate is installed, you can delete older certificates from app registration because they won't be used.
52
+
53
+
It can take up to 24 hours for a new certificate to be installed on the server. The recommended time to delete the old certificate from app registration is after 24 hours from the time you create the new version of the certificate.
54
+
55
+
If the new version of the certificate is created and installed on the server, but not uploaded to app registration, the portal will display an error message on the **SQL Server - Azure Arc** resource under **Azure Active Directory**.
56
+
35
57
## Service managed certificate rotation
36
58
37
59
For service managed certificate rotation, Azure Key Vault automatically rotates the certificate for you. By default, the certificate are rotated after the certificate lifetime has been met. If the certificate has expired, then the automatic rotation fails.
38
60
61
+
Service managed certificate rotation requires you to add an access policy to the service principal with permission to sign keys. See [Assign a Key Vault access policy (legacy)](/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
62
+
39
63
> [!NOTE]
40
64
> For Linux, the old certificate will not be deleted from the app registration used for Azure Active Directory authentication and the SQL server running on the Linux machine will need to be manually restarted.
0 commit comments