Updating certificates

Next you need to issue an ALTER SYMMETRIC KEY command in the context of the user database (AGplaceholder in our example) to bind the newly created certificate to the Database Encryption Key (DEK).

updating certificates-28

USE [master] GO CREATE CERTIFICATE New TDECert FROM FILE = '\\SQLP2\temp\New TDECert.cer' WITH PRIVATE KEY (FILE = '\\SQLP2\temp\New TDECert.pvk', DECRYPTION BY PASSWORD = 'str0ng Pa$$w0rd'); GO ALTER DATABASE [AGplaceholder] SET HADR RESUME; GO You do not need to perform a backup and restore of the database using TDE again, the synchronization can resume after the certificate is restored.

You will not get a Warning message about certificate expiration, because the expiration date for the new certificate is in the future.

If you want to replace the existing certificate used in TDE, you first need to create a new certificate.

The command is the same as creating the TDE certificate for the first time, except you now provide a different certificate name.

Previous releases for the same device family and edition are then taken offline so that only the latest edition is typically available at any given time (previous URLs will be forwarded to the latest editions as well).

The latest firmware packages can be found in the article Updating Lync 2013 under the Lync Phone Edition table, which was previously included in this article but has since been moved into the newer article which documents the past of various client and server updates.

The command below is executed on the secondary AG replica SQLP2.

We can either resume the AG from SSMS or issue a RESUME from a query window as shown below.

If your database is involved in any HA or DR, the new certificate needs to be restored to all the secondary SQL Server instances.

In our scenario, database [AGplaceholder] is involved in an Availability Group (AG).

The AG dashboard will show the Synchronizing State as Not Synchronizing as soon as the new certificate was bound on the primary AG replica.

Tags: , ,