The tlscert Parameter
SQL Relay supports a tlscert parameter in the SQL Relay server's configuration file, and as an argument to the various command line client programs. In either case, it specifies the TLS certificate chain to use.
Instead of requiring a certificate chain, some applications allow you to just configure them with a public and private key. This enables the application to perform TLS encryption, but not auth. SQL Relay doesn't (currently) allow this. You have to provide a certificate chain, even if you only want to use TLS encryption and not auth.
On non-Windows platforms, you must specify a certificate chain file. For example:
/usr/local/firstworks/etc/sqlrserver.pem or /usr/local/firstworks/etc/sqlrclient.pem
On Windows platforms you may specify a certificate chain file. For example:
C:\\Program Files\\Firstworks\\etc\\sqlrserver.pfx or C:\\Program Files\\Firstworks\\etc\\sqlrclient.pfx
(note the double-backslashes)
Or, you may specify a certificate in a Windows Certificate Store. For example:
CURRENT_USER:MY:sqlrserver or MY:sqlrserver or sqlrserver or CURRENT_USER:MY:sqlrclient or MY:sqlrclient or sqlrclient
For actual files:
- The file should contain the host's certificate, private key, and signing certificates, as appropriate (see Creating a TLS Certificate Chain File for more information)
- On non-Windows systems, a variety of file formats are supported.
- On Windows systems it must be a .pfx file.
For certificates in a Windows Certificate store:
- The certificate should have an associated private key, and associated signing certificates, as appropriate.
- The parameter must be formatted in one of the following ways:
- location:store:subject
- store:subject
- subject
- The location part must be one of the following:
- CURRENT_USER
- LOCAL_MACHINE
- CURRENT_SERVICE
- SERVICES
- USERS
- CURRENT_USER_GROUP_POLICY
- LOCAL_MACHINE_GROUP_POLICY
- LOCAL_MACHINE_ENTERPRISE
- (if omitted, it defaults to CURRENT_USER)
- The store part must be one of the following:
- MY
- Root
- Trust
- CA
- (if omitted, it defaults to MY)
- The subject part identifies the certificate. The first certificate in the specified location/store who's Subject contains the specified subject (in a case-insensitive comparison) will be used. Note that the order of the certificates in the store is not guaranteed, so the specified subject should contain enough information to uniquely identify a certificate.
