Backup-DbaDbCertificate - Handle DMK-encrypted certs when DecryptionPassword is also provided

github-actions[bot] · andreasjordan · github-actions[bot] · commit ba52db574c2a · 2026-04-08T06:13:57.000Z
Restores dbatoolsci_AGCert to DMK encryption (required for AG endpoint auth).
Fixes Backup-DbaDbCertificate to check PrivateKeyEncryptionType: when a cert's
private key is encrypted by the database master key, skip DecryptionPassword and
use the 3-param export overload instead of the 4-param one that SQL Server rejects.
Updates the "all instance" backup test to use containment checks instead of an
exact count, since the DMK cert will now be backed up successfully.

Co-authored-by: Andreas Jordan &lt;andreasjordan@users.noreply.github.com&gt;
diff --git a/public/Backup-DbaDbCertificate.ps1 b/public/Backup-DbaDbCertificate.ps1
@@ -225,15 +225,24 @@ function Backup-DbaDbCertificate {
 
                     # because the password shouldn't go to memory...
                     if ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -gt 0) {
-
-                        Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk."
-
-                        $cert.export(
-                            $exportPathCert,
-                            $exportPathKey,
-                            ($EncryptionPassword | ConvertFrom-SecurePass),
-                            ($DecryptionPassword | ConvertFrom-SecurePass)
-                        )
+                        if ($cert.PrivateKeyEncryptionType -eq [Microsoft.SqlServer.Management.Smo.PrivateKeyEncryptionType]::MasterKey) {
+                            Write-Message -Level Verbose -Message "Both passwords passed in but private key of $certName is encrypted by the database master key. DecryptionPassword will be ignored."
+
+                            $cert.export(
+                                $exportPathCert,
+                                $exportPathKey,
+                                ($EncryptionPassword | ConvertFrom-SecurePass)
+                            )
+                        } else {
+                            Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk."
+
+                            $cert.export(
+                                $exportPathCert,
+                                $exportPathKey,
+                                ($EncryptionPassword | ConvertFrom-SecurePass),
+                                ($DecryptionPassword | ConvertFrom-SecurePass)
+                            )
+                        }
                     } elseif ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -eq 0) {
                         Write-Message -Level Verbose -Message "Only encryption password passed in. Will export both cer and pvk."
 
diff --git a/tests/Backup-DbaDbCertificate.Tests.ps1 b/tests/Backup-DbaDbCertificate.Tests.ps1
@@ -149,8 +149,9 @@ Describe $CommandName -Tag IntegrationTests {
             }
             $results = Backup-DbaDbCertificate @splatBackupAllCerts
 
-            $results | Should -HaveCount 3
-            $results.Certificate | Should -Be $cert1.Name, $cert2.Name, $cert3.Name
+            $results.Certificate | Should -Contain $cert1.Name
+            $results.Certificate | Should -Contain $cert2.Name
+            $results.Certificate | Should -Contain $cert3.Name
         }
     }
 }
diff --git a/tests/appveyor.SQL2019.ps1 b/tests/appveyor.SQL2019.ps1
@@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme
 Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException
 $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false
 Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<StrongPassword>'" -EnableException
-Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert ENCRYPTION BY PASSWORD = '<StrongPassword>' WITH SUBJECT = 'AG Certificate'" -EnableException
+Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate'" -EnableException
 
 $loginName = "$env:COMPUTERNAME\$env:USERNAME"
 $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName
diff --git a/tests/appveyor.SQL2022.ps1 b/tests/appveyor.SQL2022.ps1
@@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme
 Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException
 $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false
 Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<StrongPassword>'" -EnableException
-Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert ENCRYPTION BY PASSWORD = '<StrongPassword>' WITH SUBJECT = 'AG Certificate'" -EnableException
+Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate'" -EnableException
 
 $loginName = "$env:COMPUTERNAME\$env:USERNAME"
 $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName

Original file line number	Diff line number	Diff line change
`@@ -149,8 +149,9 @@ Describe $CommandName -Tag IntegrationTests {`
`149`	`149`	`}`
`150`	`150`	`$results = Backup-DbaDbCertificate @splatBackupAllCerts`
`151`	`151`
`152`		`- $results \| Should -HaveCount 3`
`153`		`- $results.Certificate \| Should -Be $cert1.Name, $cert2.Name, $cert3.Name`
	`152`	`+ $results.Certificate \| Should -Contain $cert1.Name`
	`153`	`+ $results.Certificate \| Should -Contain $cert2.Name`
	`154`	`+ $results.Certificate \| Should -Contain $cert3.Name`
`154`	`155`	`}`
`155`	`156`	`}`
`156`	`157`	`}`