Automating SQL Server TLS Certificate Updates with Let’s Encrypt and Certify The Web
Ensuring that your SQL Server traffic is encrypted with valid, trusted TLS certificates is an essential security best practice — especially for any server that communicates across networks or the Internet.
Recently, I set up a fully automated certificate renewal workflow for our SQL Server instance using:
✅ Let’s Encrypt
✅ Certify The Web
✅ SQL Server 2019 (Express)
✅ PowerShell automation
The Challenge
While Let’s Encrypt makes certificate issuance and renewal easy, SQL Server presents two common hurdles:
1️⃣ SQL Server TLS binding: The certificate thumbprint must be updated in the SQL Server Registry after every renewal.
2️⃣ Private key permissions: SQL Server runs under a specific service account (NT SERVICE\MSSQL$YourInstanceName) — this account needs explicit Read permissions on the certificate’s private key to start the service successfully.
If either of these is not handled after a renewal:
🚫 SQL Server will fail to start
🚫 Encrypted connections will fail
🚫 Production systems may be impacted
The Solution
👉 I wrote a simple PowerShell automation script that runs as a Post-Renewal Task in Certify The Web.
The script:
✅ Locates the latest Let’s Encrypt certificate
✅ Updates the Registry with the new certificate thumbprint
✅ Grants the correct private key permissions to the SQL Server service account
✅ Restarts the SQL Server service
✅ Logs the change for audit/compliance
Key Lessons Learned
✅ Don’t fight the MMC GUI — use PowerShell to manage private key ACLs.
✅ Always distinguish between:
NT SERVICE\MSSQL$InstanceName→ used for ACLsMSSQL$InstanceName→ used for restarting the service
✅ Certify The Web’s Post-Renewal Tasks feature is powerful — and when used with a well-tested PowerShell script, it gives you a reliable automation flow.
✅ Testing the flow with Run All Tasks Now in Certify The Web ensures smooth production operation.
Results
I now have a fully automated, repeatable, hands-off process:
- Every 90 days, when Let’s Encrypt renews the SQL Server TLS cert:
- The cert binding is updated
- Permissions are correct
- SQL Server is restarted
- Logs are written for auditing
- No manual work, no downtime, no surprises.
Final Thoughts
Automating your SQL Server TLS lifecycle with Let’s Encrypt is absolutely achievable — even on Express edition, even when the GUI lacks certain options.
By combining:
✅ Certify The Web
✅ A solid PowerShell script
✅ Careful configuration of permissions and Post-Renewal Tasks
… you can build a highly professional, production-grade solution.