SSSB Endpoint Authentication Certificate
Don’t forget to give this a long lifetime (if security policy allows) by using EXPIRY_DATE, otherwise the certificate expires after a year.
CREATE CERTIFICATE [BrokerCertificateDec15] WITH SUBJECT = N'certificate_subject', EXPIRY_DATE = N'2025-12-31';
Expiry of the certificate causes the following log entries with source ‘Logon’:
Service Broker login attempt failed with error: ‘Connection handshake failed. The certificate used by this endpoint was not found: Certificate expired. Use DBCC CHECKDB in master database to verify the metadata integrity of the endpoints. State 85.’. [CLIENT: …
Check the contents of sys.certificates (from master) for the expired culprit.
- Create a new certificate, e.g. using the code above. Hence the date in the name.
- Alter the broker endpoint to use the new certificate:
ALTER ENDPOINT [Broker] FOR SERVICE_BROKER ( AUTHENTICATION = CERTIFICATE [BrokerCertificateDec15] )
- This should leave all other endpoint settings unchanged. Note that the endpoint name is variable.
- If successful the following log entries appear:
- The Service Broker protocol transport has stopped listening for connections.
- Server is listening on [ ….[IP] <ipv4> 4022].
- The Service Broker protocol transport is now listening for connections.
- At this stage the broker should be running correctly again.