Changes to hashing algorithm for self-signed certificate in SQL Server 2017

Starting with SQL Server 2005, a self-signed certificate is created automatically during the startup to be used for channel encryption. By default, credentials in the login packet that are transmitted when a client application connects to SQL Server are always encrypted using this certificate if a certificate has not been explicitly provisioned for SSL/TLS. Optionally, the self-signed certificate can also be used to enable channel encryption. SSL/TLS connections that are encrypted using a self-signed certificate do not provide strong security, so it is strongly recommended that a certificate obtained from a trusted certification authority be used.

Until SQL Server 2016, the self-signed certificate was created using a SHA1 algorithm. However, SHA1 algorithm and many older algorithms have been deprecated beginning with SQL Server 2016. Refer to this books online article for more information.

Beginning with SQL Server 2017, the self-signed certificate now uses SHA256 algorithm which is more secure compared to SHA1 algorithm. Having said that, we still recommend using a certificate obtained from trusted certification authority to be used for channel encryption.

Comments (2)

  1. It’s a little confused that if in the SQL 2016 ,the self-signed certificate was created using a SHA1 algorithm?
    And also, how does the login pwd stored in sql server? with algorithm SHA1 before SQL 2012 and SHA2_512 since SQL 2012?
    Could you please help check the question, thanks very much in advance~

Skip to main content