Using Certificates for Database Mirroring
To enable certificate authentication for database mirroring on a given server instance, the system administrator must configure each server instance to use certificates on both outbound and inbound connections. Outbound connections must be configured first.
All mirroring connections on a server instance use a single database mirroring endpoint, and you must specify the authentication method of the server instance when you create the endpoint. Therefore, you can use only one form of authentication per server instance for database mirroring.
Follow these steps on each server instance that you are configuring for database mirroring:
In the master database, create a database master key.
In the master database, create an encrypted certificate on the server instance.
Create an endpoint for the server instance using its certificate.
Back up the certificate to a file and securely copy it to the other system or systems.
You must complete these steps for each partner and the witness, if there is one.
For more information, see How to: Allow Database Mirroring to Use Certificates for Outbound Connections (Transact-SQL).
Next, follow these steps for each partner that you are configuring for database mirroring. In the master database:
Create a login for the other system.
Create a user for that login.
Obtain the certificate for the mirroring endpoint of the other server instance.
Associate the certificate with the user created in step 2.
Grant CONNECT permission on the login for that mirroring endpoint.
If there is a witness, you must also set up inbound connections for it. This requires setting up logins, users, and certificates for the witness on both of the partners, and vice versa.
For more information, see How to: Allow Database Mirroring to Use Certificates for Inbound Connections (Transact-SQL).
Unless you can guarantee that your network is secure, we recommend that you use encryption for database mirroring connections. For more information, see Database Mirroring Endpoint.
When copying a certificate to another system, use a secure copy method. Be extremely careful to keep all of your certificates secure.