...
According to this Howto, the name of the certificate must be the fully qualified domain name (FQDN) of the computer. Since the TCS certificates we use can only contain a valid FQDN as the Subject's Common Name (CN), this had to be correct. I checked permissions and those seemed to be OK as well.
It turned out that the server did not have a FQDN is called Full Computer Name... It was in Windows, and indeed that was still set to a single label:
To change this I had to add our domain name at Primary DNS suffix of this computer:
I wasn't aware that Windows did this sort of checks, but I think it makes sense because it prevent you from inadvertently using a wrong certificate 
.
After fixing the FQDN After fixing that the certificate showed up in the SQL Server Network Configuration.
Then I forced encryption:
, checked again with Wireshark and indeed no more plain text queries 
RDP Crypto
Since we now have a nice server certificate in the Windows Certificate Store, I figured I might as well use it to secure more services that run of this machine. The most obvious service is of course the channel by which the machine is managed: Remote Desktop Protocol (RDP). Based on the docs, RDP does support SSL (TLS1.0). The installed certificate can be configured with the Remote Desktop Session Host Configuration. While at it, I also selected to only use SSL (TLS 1.0), and High Encryption level:
...