Sql Server : Change database mirroring expired certificate
- Posted by Sqltimes
- On May 17, 2014
- 0 Comments
Since its introduction, in Sql Server 2005, Database Mirroring has been one the popular features. We have database mirroring configured on several production databases. It is easy to configure, maintain and very efficient in transporting transactions from Principal server to the Mirror. With more new improvements in later versions, the transfer of transactional log to Mirror is more optimized. That is a topic for some other time.
Today, let us look at renewing/re-configuring expired certificate on Database Mirroring.
The option of creating mirroring using certificates is not too common, but it has a lot of benefits of its own. When we create certificates for this purpose, the usual syntax used it something like this:
|
1
2
3
4
5
6
|
---- Default syntax used to create certificates--CREATE CERTIFICATE Principal_CertificateWITH SUBJECT = 'Principal Certificate'GO |
This works, but the problem is when you do not specify ‘EXPIRY_DATE’ parameter the certificate defaults to one year. So come next year, you’ll need to change the certificate. And this is how to do it:
Steps to configure new certificate
Phase 1
- Step 1: On Principal, create new certificates (C1) with longer duration
- Step 2: Backup the certificate (on Principal)
- Step 3: Copy the Principal certificate backup to Mirror server
Phase 2
- Step 4: On Mirror, create a new certificate (C2) with longer duration
- Step 5: Backup the certificate (on Mirror)
- Step 6: Copy the Mirror certificate backup to Principal server
Phase 3
- Step 7: Restore new certificate (C2) from Mirror on to Principal server. Make sure the owner of this new certificate is the same as the old certificate owner login.
- Step 8: Alter endpoint on Principal to Principal to use new certificate (C1)
Phase 4
- Step 9: Do same as Step 7 on Mirror server (C1). Make sure the owner login stays the same as owner of previous certificate
- Step 10: Alter endpoint on Mirror to use new certificate (C2)
Phase 5
- Step 11: DROP both the old certificates on Principal server
- Step 12: DROP both the old certificates on Mirror server
Now sample code is below:
Phase 1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
---- Steps to change mirroring certificate-- -- -- Step 1: On Principal, create new certificates with longer duration -- USE [master] GO CREATE CERTIFICATE Principal_Certificate_New WITH SUBJECT = 'Principal Certificate New' , EXPIRY_DATE = '12/31/2050' GO -- -- Step 2: Backup the certificate (on Principal) -- BACKUP CERTIFICATE Principal_Certificate_New TO FILE = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\Principal_Certificate_New.cer' GO -- -- Step 3: Copy the Principal certificate backup to Mirror server -- -- copy the certificate to Mirror |
Phase 2
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
---- Step 4: On Mirror, create a new certificate with longer duration--CREATE CERTIFICATE Mirror_Certificate_NewWITH SUBJECT = 'Mirror Certificate New' , EXPIRY_DATE = '12/31/2050'GO---- Step 5: Backup the certificate (on Mirror)--BACKUP CERTIFICATE Mirror_Certificate_NewTO FILE = N'C:\Program Files\Microsoft SQL Server\MSSQL11.PLAYR2\MSSQL\Log\Mirror_Certificate_New.cer'GO---- Step 6: Copy the Mirror certificate backup to Principal server---- copy the certificate to Principal |
Phase 3
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
-- -- Step 7: Restore new certificate from Mirror on to Principal server. Make sure the owner of this new certificate is the same as the old certificate owner login. -- CREATE CERTIFICATE Mirror_Certificate_New AUTHORIZATION [DBMirror_Mirror] FROM FILE = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\Mirror_Certificate_New.cer' GO -- -- Step 8: Alter endpoint on Principal to use new certificate -- ALTER ENDPOINT EP_Mirroring_P FOR DATABASE_MIRRORING ( AUTHENTICATION = CERTIFICATE Principal_Certificate_New ) GO |
Phase 4
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
---- Step 9: Do same as Step 7 on Mirror server. Make sure the owner login stays the same as owner of previous certificate--CREATE CERTIFICATE Principal_Certificate_NewAUTHORIZATION [DBMirror_Principal]FROM FILE = N'C:\Program Files\Microsoft SQL Server\MSSQL11.PLAYR2\MSSQL\Log\Principal_Certificate_New.cer'GO---- Step 10: Alter endpoint on Mirror to use new certificate--ALTER ENDPOINT EP_Mirroring_MFOR DATABASE_MIRRORING ( AUTHENTICATION = CERTIFICATE Mirror_Certificate_New )GO |
Phase 5
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
---- Step 11: DROP both the old certificates on Principal server--DROP CERTIFICATE Mirror_CertificateDROP CERTIFICATE Principal_CertificateGO---- Step 12: DROP both the old certificates on Mirror server--DROP CERTIFICATE Mirror_CertificateDROP CERTIFICATE Principal_CertificateGO |
Points:
- Mirroring session does not need to be brought down for this operation.
- Production database will be live and running while this operation is conducted in the background. But it is a good idea to do this during a maintenance window.
Hope this helps,
_Sqltimes
0 Comments