MSSQLSERVICE not starting. error 1067

Aamer- used Ask the Experts™
I have an SQL cluster hosting databases for SCCM, SCOM, and WSUS. I wanted to configure encryption so requested a certificate from an internal CA with a subject name of the SQL cluster virtual server. on the nodes of the SQL server there was a self signed certificate created automatically for SCCM. following the instruction in most of the blogs, I replaced the thumbprint of the certificate in the registry to use the thumbprint of the new certificate. the moment the thumbprint was changed the SQL service stopped and the cluster resource for SQL went down. I replaced the thumbprint on both the nodes and still the service does not come up. I replaced the old thumbprint and restarted but the service still does not start. I did a SQL server repair but no luck. the error I get is : unexpected service failure error 1067. now all of my services are down. what can be done to bring back the service to a running state. SQL version I am running on the cluster is 2012 sp1. it a active/passive cluster hosting databases for all my services. I changed the thumbprint as the application catalog role in SCCM was not working and I found some blogs talking about sql encryption and this messed it up for me.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

You likely have not transferred the private key of the certificate.

Such undertakings should only be done in a test environment with good backups.
you would need to use the osql command line to try and revert what you did.

the certificate is not part of the user/service certificate store.......

try to undo all what you set and reboot nodes
did you make these changes on both nodes?
did you try to do fail over to  2nd node?
did you reboot boxes?
what errors do you see in event viewer?
in cluster error log?
more details is better
Are you using the cluster service as domain login with local admin rights on the both nodes?

what blogs instructions did you use?

did you see this one?
DB Expert/Architect
Top Expert 2011

I suggest you locate your new certificate in certmgr.msc for a computer account and grant SQL Server service account's private key permission to that certificate. You can do this by right clicking on the certificate, choose All tasks then Manage private keys...
In the new window just add your SQL Server service account's permission to the certificate. Then restart your SQL Server.

I don't have any certificate to demonstrate you steps in my own environment, therefore I just paste an image from one of the msdn blogs (reference to the blog is below).

certmgr.msc image

As others stated before, please provide us with SQL Server logs, or at least check what's in the logs.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial