diff --git a/public/Backup-DbaDbCertificate.ps1 b/public/Backup-DbaDbCertificate.ps1
index 29078a214ca..bae2b463d46 100644
--- a/public/Backup-DbaDbCertificate.ps1
+++ b/public/Backup-DbaDbCertificate.ps1
@@ -225,15 +225,24 @@ function Backup-DbaDbCertificate {
 
                     # because the password shouldn't go to memory...
                     if ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -gt 0) {
-
-                        Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk."
-
-                        $cert.export(
-                            $exportPathCert,
-                            $exportPathKey,
-                            ($EncryptionPassword | ConvertFrom-SecurePass),
-                            ($DecryptionPassword | ConvertFrom-SecurePass)
-                        )
+                        if ($cert.PrivateKeyEncryptionType -eq [Microsoft.SqlServer.Management.Smo.PrivateKeyEncryptionType]::MasterKey) {
+                            Write-Message -Level Verbose -Message "Both passwords passed in but private key of $certName is encrypted by the database master key. DecryptionPassword will be ignored."
+
+                            $cert.export(
+                                $exportPathCert,
+                                $exportPathKey,
+                                ($EncryptionPassword | ConvertFrom-SecurePass)
+                            )
+                        } else {
+                            Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk."
+
+                            $cert.export(
+                                $exportPathCert,
+                                $exportPathKey,
+                                ($EncryptionPassword | ConvertFrom-SecurePass),
+                                ($DecryptionPassword | ConvertFrom-SecurePass)
+                            )
+                        }
                     } elseif ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -eq 0) {
                         Write-Message -Level Verbose -Message "Only encryption password passed in. Will export both cer and pvk."
 
diff --git a/tests/Backup-DbaDbCertificate.Tests.ps1 b/tests/Backup-DbaDbCertificate.Tests.ps1
index b4bd334cee9..37d8d968263 100644
--- a/tests/Backup-DbaDbCertificate.Tests.ps1
+++ b/tests/Backup-DbaDbCertificate.Tests.ps1
@@ -149,8 +149,9 @@ Describe $CommandName -Tag IntegrationTests {
             }
             $results = Backup-DbaDbCertificate @splatBackupAllCerts
 
-            $results | Should -HaveCount 3
-            $results.Certificate | Should -Be $cert1.Name, $cert2.Name, $cert3.Name
+            $results.Certificate | Should -Contain $cert1.Name
+            $results.Certificate | Should -Contain $cert2.Name
+            $results.Certificate | Should -Contain $cert3.Name
         }
     }
 }
\ No newline at end of file