Press "Enter" to skip to content

Certificate Expiration Dates and TDE

Mike Lynn talks Transparent Data Encryption:

Transparent Data Encryption uses certificates in its architecture for protecting your data while at rest. One attribute of a certificate is they have an expiration date. Certificates expire for a couple reasons, but the main reason is to enforce security. When a website certificate expires it forces the website owners to get a new certificate by proving they are who they say they are with a trusted third party. 

SQL Server certificates that are used for TDE also have an expiration date, but these dates are only checked when you are creating a self-signed certificate using the “CREATE CERTIFICATE” T-SQL command. If you don’t supply an expiration date when creating your certificate SQL Server will assign one that is 1 year into the future.

Read on to learn more about how it works with TDE. I will say that with encrypting backups, SQL Server does care about the expiration date when it comes to creating a new encrypted backup, but not when it comes to restoring a backup.