A primary condition for enabling SSL encryption is that your server and clients must have a digital certificate from a trusted root Certificate Authority (CA). The server and client certificates must be from the same CA. Most Windows systems have Microsoft Certificate Services installed on the PDC, but you can use a third-party provider such as VeriSign. For the example in this article, I used Microsoft Certificate Services to issue certificates for all clients inside the company.

You can choose from two major types of CA: an enterprise root CA or a standalone root CA. A standalone CA doesn't require Active Directory (AD) services, which makes it more popular; many small and mid-sized companies don't use AD. By default, a standalone CA collects certificate requests, then processes them. The CA administrator must approve or deny each request for a certificate. An enterprise CA processes each request immediately.

To request a certificate, SQL Server must run under a domain service account, not the default LocalSystem service account. To verify that you're using the proper account, right-click the name of the SQL Server instance in Enterprise Manager, choose Properties, and select the Security tab. Verify that the option This account is selected and that the proper domain account name is specified.