SSSB Endpoint Authentication Certificate

Don’t forget to give this a long lifetime (if security policy allows) by using EXPIRY_DATE, otherwise the certificate expires after a year.

CREATE CERTIFICATE [BrokerCertificateDec15]
  WITH SUBJECT = N'certificate_subject',
       EXPIRY_DATE = N'2025-12-31';

Expiry of the certificate causes the following log entries with source ‘Logon’:

Service Broker login attempt failed with error: ‘Connection handshake failed. The certificate used by this endpoint was not found: Certificate expired. Use DBCC CHECKDB in master database to verify the metadata integrity of the endpoints. State 85.’.  [CLIENT: …

Check the contents of sys.certificates (from master)  for the expired culprit.

Solution

• Create a new certificate, e.g. using the code above. Hence the date in the name.
• Alter the broker endpoint to use the new certificate:

  ALTER ENDPOINT [Broker] 
  FOR SERVICE_BROKER
  (
  	AUTHENTICATION = CERTIFICATE [BrokerCertificateDec15]
  )

   

• This should leave all other endpoint settings unchanged.  Note that the endpoint name is variable.
• If successful the following log entries appear:
  • The Service Broker protocol transport has stopped listening for connections.
  • Server is listening on [ ….[IP] <ipv4> 4022].
  • The Service Broker protocol transport is now listening for connections.
• At this stage the broker should be running correctly again.