Following the steps of the sql server 2019 documentation:

https://learn.microsoft.com/es-es/sql/connect/jdbc/using-always-encrypted-with-secure-enclaves-with-the-jdbc-driver?view=sql-server-ver15
and https://learn.microsoft.com/es-es/sql/connect/jdbc/using-always-encrypted-with-the-jdbc-driver?view=sql-server-ver15

Actions done:

1. Creating a column master key for the Java Key Store with alias AlwaysEncryptedKey

2.1. Create the column master key without [ENCLAVE_COMPUTATIONS (SIGNATURE = signature)]:

CREATE COLUMN MASTER KEY [CMK_Java]
WITH
(
    KEY_STORE_PROVIDER_NAME = N'MSSQL_JAVA_KEYSTORE',
    KEY_PATH = N'AlwaysEncryptedKey'
);

2.2. Create the column master key with [ENCLAVE_COMPUTATIONS (SIGNATURE = signature)]:

CREATE COLUMN MASTER KEY [CMK_Java]
WITH
(
    KEY_STORE_PROVIDER_NAME = N'MSSQL_JAVA_KEYSTORE',
    KEY_PATH = N'AlwaysEncryptedKey',
    ,ENCLAVE_COMPUTATIONS (SIGNATURE = 0x57E09D7F67A592459D40.....)
);

3. Create column encryption key [CEK_Java] with java class 1.8 (https://learn.microsoft.com/es-es/sql/connect/jdbc/using-always-encrypted-with-the-jdbc-driver?view=sql-server-ver15#use-column-master-key-store-providers-for-programmatic-key-provisioning or https://medium.com/captech-corner/integrating-sql-server-always-encrypted-into-java-application-3904ce2b48c9) it is created in sql server:

/****** Object:  ColumnEncryptionKey [CEK_Java]  ******/
CREATE COLUMN ENCRYPTION KEY [CEK_Java]
WITH VALUES
(
    COLUMN_MASTER_KEY = [CMK_Java],
    ALGORITHM = 'RSA_OAEP',
    ENCRYPTED_VALUE = 0x010A000001650....
)

4. On a previously created “Employees” table, an attempt is made to encrypt the NIF field:

ALTER TABLE [Employees]
ALTER COLUMN [NIF] [char](9) COLLATE Latin1_General_BIN2
ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK_Java], ENCRYPTION_TYPE = Deterministic, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL
WITH
(ONLINE = ON);

..with the following results:

• If you have done point 2.1. when executing 4 you receive the error:
  “Cannot alter column ‘NIF’.
  The statement attempts to encrypt, decrypt or re-encrypt the column in-place using a secure enclave
  , but the current and/or the target column encryption key for the column is not enclave-enabled.“

• If you have done point 2.2 when executing 4 you receive the error:
  “An error occurred while executing batch.
  Error message is: Unable to verify a column master key signature.
  Error message: Invalid key store provider name: ‘MSSQL_JAVA_KEYSTORE’. A key store provider name must denote either a system key store provider or a registered custom key store provider.
  Valid system key store provider names are: ‘MSSQL_CERTIFICATE_STORE’, ‘MSSQL_CNG_STORE’, ‘MSSQL_CSP_PROVIDER’.
  Valid (currently registered) custom key store provider names are: ‘AZURE_KEY_VAULT’. Please verify key store provider information in column master key definitions in the database, and verify all custom key store providers used in your application are registered properly.“

Questions:

• I understand that the error received when doing point 2.1 is because the master key is not enabled enclave enabled (the enclave enabled is done in point 2.2).
• How can I register the MSSQL_JAVA_KEYSTORE provider?
• How can SQL Server 2019 verify the signature of a column master key?
• If the signature is incorrect, how can I obtain it correctly?
• Is there a page where the detailed points are detailed in more depth?