You cannot retrieve the server’s private key in Microsoft Fabric, and you should not be able to, this is by design for strong security and tenant isolation.
SSLKEYLOGFILE Method Not Working
The SSLKEYLOGFILE env variable works only if you control the client (like browsers, curl, or custom OpenSSL-based clients). It logs pre-master secrets so tools like Wireshark can decrypt TLS.
In your case:
- You are connecting to Fabric’s SQL endpoint, which is a fully managed PaaS service.
- The SQL endpoint runs over TLS using TDS, and you do not control the Fabric server-side process. Hence, the server will never log session keys for you.
Also, Microsoft Fabric’s SQL endpoint likely terminates TLS at an azure managed reverse proxy or gateway, which is out of your control.
Getting the Server Private Key is not Possible
You asked about retrieving the private key:
- The PK of a Fabric Lakehouse SQL endpoint is never exposed to users, by design.
- Microsoft uses azure certificates, managed by internal Key Vaults, and private keys are hardware-backed or in secure enclaves.
- Even Microsoft employees cannot access these keys directly, this is a core part of azure’s secure infrastructure.
So no, you cannot and should not expect to retrieve the server private key.
As a workaround, you can try:
Enable Query Logging / Diagnostic Logs
Instead of decrypting network traffic:
- Use Fabric diagnostic settings to enable query logging and monitoring.
- Use Log Analytics or Monitor to inspect query activity.
- If your goal is to inspect SQL queries or performance, logging is more stable and supported.
(OR)
Use Azure Network Packet Capture (if VM-based)
If this was your own hosted SQL server (like Azure VM or container), you could:
- Capture traffic using Azure Network Watcher or tcpdump.
- Configure your own TLS cert (e.g., self-signed) so you have access to the private key.
- This does not apply to Microsoft Fabric endpoints.
Please 'Kudos' and 'Accept as Solution' if this answered your query.
