SSSB Endpoint Authentication Certificate

Don’t forget to give this a long lifetime (if security policy allows) by using EXPIRY_DATE, otherwise the certificate expires after a year.

CREATE CERTIFICATE [BrokerCertificateDec15]
  WITH SUBJECT = N'certificate_subject',
       EXPIRY_DATE = N'2025-12-31';

Expiry of the certificate causes the following log entries with source ‘Logon’:

Service Broker login attempt failed with error: ‘Connection handshake failed. The certificate used by this endpoint was not found: Certificate expired. Use DBCC CHECKDB in master database to verify the metadata integrity of the endpoints. State 85.’.  [CLIENT: …

Check the contents of sys.certificates (from master)  for the expired culprit.

Solution

  • Create a new certificate, e.g. using the code above. Hence the date in the name.
  • Alter the broker endpoint to use the new certificate:
    ALTER ENDPOINT [Broker] 
    FOR SERVICE_BROKER
    (
    	AUTHENTICATION = CERTIFICATE [BrokerCertificateDec15]
    )

     

  • This should leave all other endpoint settings unchanged.  Note that the endpoint name is variable.
  • If successful the following log entries appear:
    • The Service Broker protocol transport has stopped listening for connections.
    • Server is listening on [ ….[IP] <ipv4> 4022].
    • The Service Broker protocol transport is now listening for connections.
  • At this stage the broker should be running correctly again.

no comment

Sorry, comments closed.