final edits

Author: haywoodsloan

support/sql/database-engine/connect/certificate-chain-not-trusted.md

@@ -12,21 +12,21 @@ ms.custom: sap:Database Connectivity and Authentication
 
 This article helps you troubleshoot certificate chain trust errors that occur when you upgrade database applications from SQL Server Native Client 11.0 (SNAC) to Microsoft OLE DB Driver 19 or Microsoft ODBC Driver 18 for SQL Server.
 
-When you upgrade from SNAC 11.0 to newer drivers, your applications might fail to connect to SQL Server with certificate chain trust errors. This issue occurs because the newer drivers enable encryption by default and require certification validation, while SNAC disabled it by default. This article explains why these errors occur and provides workarounds to resolve them.
+When you upgrade from SNAC 11.0 to newer drivers, your applications might fail to connect to SQL Server with certificate chain trust errors. This problem happens because the newer drivers enable [encryption](/sql/relational-databases/security/securing-sql-server#encryption-and-certificates) by default and require certificate validation, while SNAC disabled it by default. This article explains why these errors occur and provides solutions to resolve them.
 
 ## [Upgraded to Microsoft OLE DB Driver 19 for SQL Server](#tab/ole-db-driver-19)
 
-After you upgrade from SQL Server Native Client 11.0 (Provider=SQLNCLI11) to Microsoft OLE DB Driver 19 for SQL Server, connection attempts might fail with the following error:
+After you upgrade from SQL Server Native Client 11.0 (Provider=SQLNCLI11) to Microsoft OLE DB Driver 19 for SQL Server, connection attempts might fail with the following error message:
 
 > [Microsoft OLE DB Driver 19 for SQL Server]: Client unable to establish connection
 
 > [Microsoft OLE DB Driver 19 for SQL Server]: SSL Provider: The certificate chain was issued by an authority that is not trusted.
 
 ### Cause of certificate chain trust error when upgrading to Microsoft OLE DB Driver 19
 
-This error indicates that the client computer is unable to verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that is not trusted by the client.
+This error indicates that the client computer can't verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that the client doesn't trust.
 
-These errors occur if both the following conditions are true:
+These errors occur if both of the following conditions are true:
 
 - The **Force encryption** setting for the SQL Server instance is set to **No**.
 
@@ -36,30 +36,39 @@ The error occurs because of a change in the default behavior of the client drive
 
 ### Solutions for certificate chain trust error when upgrading to Microsoft OLE DB Driver 19
 
-- **Solution 1:** Use Microsoft OLE DB Driver for SQL Server 18.x. You can download the driver from [Release notes for the Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/release-notes-for-oledb-driver-for-sql-server).
+#### Use OLE DB Driver 18.x
 
-- **Solution 2:** 
-    - If the application connection string property already specifies a value of **Yes** or **Mandatory** for the **Encrypt/Use Encryption for Data** setting, change the value to **No** or **Optional**. For example, **Use Encryption for Data=Optional**.
-    - If the connection string doesn't specify any value for **Encrypt/Use Encryption for Data**, add **Use Encryption for Data=Optional** to the connection string. For more information, see [Encryption and certificate validation](/sql/connect/oledb/features/encryption-and-certificate-validation).
+Use Microsoft OLE DB Driver for SQL Server 18.x. You can download the driver from [Release notes for the Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/release-notes-for-oledb-driver-for-sql-server).
 
-- **Solution 3:** Add `;TrustServerCertificate=true` to the SQL Server connection string. This change tells the client to trust the certificate without validation.
+#### Disable mandatory encryption for OLE DB
 
-  > [!NOTE]
-    > Currently, MSOLEDBSQL19 prevents the creation of linked servers without encryption and a trusted certificate (a self-signed certificate is insufficient). If you need linked servers, use the existing supported version of MSOLEDBSQL.
+Modify the encryption settings in your connection string:
+
+- If the application connection string property already specifies a value of `Yes` or `Mandatory` for the `Encrypt/Use Encryption for Data` setting, change the value to `No` or `Optional`. For example, `Use Encryption for Data=Optional`.
+- If the connection string doesn't specify any value for `Encrypt/Use Encryption for Data`, add `Use Encryption for Data=Optional` to the connection string.
+
+For more information, see [Encryption and certificate validation](/sql/connect/oledb/features/encryption-and-certificate-validation).
+
+#### Trust the server certificate without validation
+
+Add `;TrustServerCertificate=true` to the SQL Server connection string. This setting tells the client to trust the certificate without validation.
+
+> [!NOTE]
+> Currently, MSOLEDBSQL19 prevents the creation of linked servers without encryption and a trusted certificate (a self-signed certificate is insufficient). If you need linked servers, use the existing supported version of MSOLEDBSQL.
 
 ## [Upgraded to Microsoft ODBC Driver 18.*x* for SQL Server](#tab/odbc-driver-18x)
 
 After you upgrade from SQL Server Native Client 11.0 (Driver={SQL Server Native Client 11.0}) to Microsoft ODBC Driver 18 for SQL Server (Driver={ODBC Driver 18 for SQL Server}), connection attempts might fail with the following error message:
 
-> [Microsoft][ODBC Driver 18 for SQL Server]SSL Provider: The certificate chain was issued by an authority that is not trusted.
+> \[Microsoft\]\[ODBC Driver 18 for SQL Server\]SSL Provider: The certificate chain was issued by an authority that is not trusted.
 
-> [Microsoft][ODBC Driver 18 for SQL Server]Client unable to establish connection
+> \[Microsoft\]\[ODBC Driver 18 for SQL Server\]Client unable to establish connection
 
 ### Cause of certificate chain trust error when upgrading to Microsoft ODBC Driver 18
 
-This error indicates that the client computer is unable to verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that is not trusted by the client.
+This error indicates that the client computer can't verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that the client doesn't trust.
 
-These errors occur if both the following conditions are true:
+These errors occur if both of the following conditions are true:
 
 - The **Force encryption** setting for the SQL Server instance is set to **No**.
 
@@ -69,21 +78,26 @@ The error occurs because of a change in the default behavior of the client drive
 
 ### Solutions for certificate chain trust error when upgrading to Microsoft ODBC Driver 18
 
-- **Solution 1:** Use the Microsoft ODBC Driver 17 for SQL Server. You can download the driver from [Download ODBC Driver for SQL Server](/sql/connect/odbc/download-odbc-driver-for-sql-server).
+#### Use ODBC Driver 17
 
-- **Solution 2:**
-    - If the application connection string property already specifies a value of **Yes** or **Mandatory** for **Encrypt**, change the value to **No** or **Optional**.
-    - If the value isn't already specified, add `Encrypt = Optional;.
-    - If you're using a DSN, change the encryption setting from **Mandatory** to **Optional**. For more information, see [DSN and connection string keywords and attributes](/sql/connect/odbc/dsn-connection-string-attribute).
+Use the Microsoft ODBC Driver 17 for SQL Server. You can download the driver from [Download ODBC Driver for SQL Server](/sql/connect/odbc/download-odbc-driver-for-sql-server).
 
----
+#### Disable mandatory encryption for ODBC
 
-## See also
+Modify the encryption settings in your connection string or DSN:
 
-- [Enable encrypted connections to the Database Engine](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine)
+- If the application connection string property already specifies a value of `Yes` or `Mandatory` for `Encrypt`, change the value to `No` or `Optional`.
+- If the value isn't already specified, add `Encrypt=Optional;` to the connection string.
+- If you're using a DSN, change the encryption setting from `Mandatory` to `Optional`.
 
-- [The certificate received from the remote server was issued by an untrusted certificate authority error when you connect to SQL Server](../connect/error-message-when-you-connect.md)
+For more information, see [DSN and connection string keywords and attributes](/sql/connect/odbc/dsn-connection-string-attribute).
 
-- [Support Policies for SQL Server Native Client](/sql/relational-databases/native-client/applications/support-policies-for-sql-server-native-client)
+---
 
-- [SNAC lifecycle explained](https://techcommunity.microsoft.com/t5/sql-server-blog/snac-lifecycle-explained/ba-p/385381)
+## Related content
+
+- [Enable encrypted connections to the Database Engine](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine)
+- [The certificate received from the remote server was issued by an untrusted certificate authority error when you connect to SQL Server](error-message-when-you-connect.md)
+- [Certificate validation failure](certificate-validation-failure.md)
+- [Support Policies for SQL Server Native Client](/sql/relational-databases/native-client/applications/support-policies-for-sql-server-native-client)
+- [SNAC lifecycle explained](https://techcommunity.microsoft.com/t5/sql-server-blog/snac-lifecycle-explained/ba-p/385381)