Share via

Cannot connect to MS SQL Server. "encrypt" property is set to "false" and "trustServerCertificate" property is set to "false"

Joice Joy 0 Reputation points
2025-08-12T15:44:49.2666667+00:00

Hi all,

Im trying to connect to MSSQL server (enabled with forced encryption and which uses a self signed certificate) from a java application using the sql jdbc connection. But unfortunately im getting the following error even though i set enabled=false from java application.

After i imported the self signed certificate in to the jvm cacerts below error occured

Cannot connect to MS SQL Server. "encrypt" property is set to "false" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: Failed to validate the server name "xyz" in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate "". ClientConnectionId:231cdfffgf

Before importing the certificate below was the error

Cannot connect to MS SQL Server. "encrypt" property is set to "false" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ClientConnectionId:231cdfffgf

SQL Server Database Engine
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erland Sommarskog 124.3K Reputation points MVP Volunteer Moderator
    2025-08-12T21:17:21.0066667+00:00

    As you have might guessed, if the server has "force encryption" set, the client cannot decline with "false".

    The reason connection fails despite you have imported the certificate is that you are not connecting by the name that is in the certificate. The fact that the names must match is a security feature. Say that you are connecting to server GOODBOY, but someone has tampered with DNS and you are in fact connected to server EVILMAN and all sorts of bad things happens. This name check prevents this from happening.

    Judging from the error message, there is no hostname in the certificate at all, so you will need to create a new one. I have found this article helpful for this process: https://codekabinett.com/rdumps.php?Lang=2&targetDoc=create-install-ssl-tls-certificate-sql-server

    I should add that sometimes a server can go by multiple names, for instance just the server name or by FQDN. For this situation there is a connection-string option Host Name in Certificate. (Note: I don't work with Java and JDBC, so the exact name may be different in your case.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.