From fadbe5e2a5e837caef3e3a47162a7d4d6e7b3344 Mon Sep 17 00:00:00 2001 From: Andreas Jordan Date: Mon, 6 Apr 2026 12:00:16 +0200 Subject: [PATCH 1/3] add password to certificate to be able to backup --- tests/appveyor.SQL2019.ps1 | 2 +- tests/appveyor.SQL2022.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/appveyor.SQL2019.ps1 b/tests/appveyor.SQL2019.ps1 index d0cb6279a24..02550941f9f 100644 --- a/tests/appveyor.SQL2019.ps1 +++ b/tests/appveyor.SQL2019.ps1 @@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''" -EnableException -Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate'" -EnableException +Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate', ENCRYPTION BY PASSWORD = ''" -EnableException $loginName = "$env:COMPUTERNAME\$env:USERNAME" $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName diff --git a/tests/appveyor.SQL2022.ps1 b/tests/appveyor.SQL2022.ps1 index 781ce7b57ec..4031f3aa963 100644 --- a/tests/appveyor.SQL2022.ps1 +++ b/tests/appveyor.SQL2022.ps1 @@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''" -EnableException -Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate'" -EnableException +Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate', ENCRYPTION BY PASSWORD = ''" -EnableException $loginName = "$env:COMPUTERNAME\$env:USERNAME" $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName From e04c1768b2b2d34e5177024ab937ae857c5502cf Mon Sep 17 00:00:00 2001 From: Andreas Jordan Date: Mon, 6 Apr 2026 19:44:01 +0200 Subject: [PATCH 2/3] fix syntax --- tests/appveyor.SQL2019.ps1 | 2 +- tests/appveyor.SQL2022.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/appveyor.SQL2019.ps1 b/tests/appveyor.SQL2019.ps1 index 02550941f9f..ca725e817c0 100644 --- a/tests/appveyor.SQL2019.ps1 +++ b/tests/appveyor.SQL2019.ps1 @@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''" -EnableException -Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate', ENCRYPTION BY PASSWORD = ''" -EnableException +Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert ENCRYPTION BY PASSWORD = '' WITH SUBJECT = 'AG Certificate'" -EnableException $loginName = "$env:COMPUTERNAME\$env:USERNAME" $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName diff --git a/tests/appveyor.SQL2022.ps1 b/tests/appveyor.SQL2022.ps1 index 4031f3aa963..4fd30ac5a5f 100644 --- a/tests/appveyor.SQL2022.ps1 +++ b/tests/appveyor.SQL2022.ps1 @@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''" -EnableException -Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate', ENCRYPTION BY PASSWORD = ''" -EnableException +Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert ENCRYPTION BY PASSWORD = '' WITH SUBJECT = 'AG Certificate'" -EnableException $loginName = "$env:COMPUTERNAME\$env:USERNAME" $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName From ba52db574c2a798834baaca15cdd850717632a9b Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 8 Apr 2026 06:13:57 +0000 Subject: [PATCH 3/3] Backup-DbaDbCertificate - Handle DMK-encrypted certs when DecryptionPassword is also provided Restores dbatoolsci_AGCert to DMK encryption (required for AG endpoint auth). Fixes Backup-DbaDbCertificate to check PrivateKeyEncryptionType: when a cert's private key is encrypted by the database master key, skip DecryptionPassword and use the 3-param export overload instead of the 4-param one that SQL Server rejects. Updates the "all instance" backup test to use containment checks instead of an exact count, since the DMK cert will now be backed up successfully. Co-authored-by: Andreas Jordan --- public/Backup-DbaDbCertificate.ps1 | 27 ++++++++++++++++--------- tests/Backup-DbaDbCertificate.Tests.ps1 | 5 +++-- tests/appveyor.SQL2019.ps1 | 2 +- tests/appveyor.SQL2022.ps1 | 2 +- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/public/Backup-DbaDbCertificate.ps1 b/public/Backup-DbaDbCertificate.ps1 index 29078a214ca..bae2b463d46 100644 --- a/public/Backup-DbaDbCertificate.ps1 +++ b/public/Backup-DbaDbCertificate.ps1 @@ -225,15 +225,24 @@ function Backup-DbaDbCertificate { # because the password shouldn't go to memory... if ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -gt 0) { - - Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk." - - $cert.export( - $exportPathCert, - $exportPathKey, - ($EncryptionPassword | ConvertFrom-SecurePass), - ($DecryptionPassword | ConvertFrom-SecurePass) - ) + if ($cert.PrivateKeyEncryptionType -eq [Microsoft.SqlServer.Management.Smo.PrivateKeyEncryptionType]::MasterKey) { + Write-Message -Level Verbose -Message "Both passwords passed in but private key of $certName is encrypted by the database master key. DecryptionPassword will be ignored." + + $cert.export( + $exportPathCert, + $exportPathKey, + ($EncryptionPassword | ConvertFrom-SecurePass) + ) + } else { + Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk." + + $cert.export( + $exportPathCert, + $exportPathKey, + ($EncryptionPassword | ConvertFrom-SecurePass), + ($DecryptionPassword | ConvertFrom-SecurePass) + ) + } } elseif ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -eq 0) { Write-Message -Level Verbose -Message "Only encryption password passed in. Will export both cer and pvk." diff --git a/tests/Backup-DbaDbCertificate.Tests.ps1 b/tests/Backup-DbaDbCertificate.Tests.ps1 index b4bd334cee9..37d8d968263 100644 --- a/tests/Backup-DbaDbCertificate.Tests.ps1 +++ b/tests/Backup-DbaDbCertificate.Tests.ps1 @@ -149,8 +149,9 @@ Describe $CommandName -Tag IntegrationTests { } $results = Backup-DbaDbCertificate @splatBackupAllCerts - $results | Should -HaveCount 3 - $results.Certificate | Should -Be $cert1.Name, $cert2.Name, $cert3.Name + $results.Certificate | Should -Contain $cert1.Name + $results.Certificate | Should -Contain $cert2.Name + $results.Certificate | Should -Contain $cert3.Name } } } \ No newline at end of file diff --git a/tests/appveyor.SQL2019.ps1 b/tests/appveyor.SQL2019.ps1 index ca725e817c0..d0cb6279a24 100644 --- a/tests/appveyor.SQL2019.ps1 +++ b/tests/appveyor.SQL2019.ps1 @@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''" -EnableException -Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert ENCRYPTION BY PASSWORD = '' WITH SUBJECT = 'AG Certificate'" -EnableException +Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate'" -EnableException $loginName = "$env:COMPUTERNAME\$env:USERNAME" $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName diff --git a/tests/appveyor.SQL2022.ps1 b/tests/appveyor.SQL2022.ps1 index 4fd30ac5a5f..781ce7b57ec 100644 --- a/tests/appveyor.SQL2022.ps1 +++ b/tests/appveyor.SQL2022.ps1 @@ -19,7 +19,7 @@ $null = Set-DbaSpConfigure -SqlInstance $sqlinstance -Name ExtensibleKeyManageme Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CRYPTOGRAPHIC PROVIDER dbatoolsci_AKV FROM FILE = 'C:\github\appveyor-lab\keytests\ekm\Microsoft.AzureKeyVaultService.EKM.dll'" -EnableException $null = Enable-DbaAgHadr -SqlInstance $sqlinstance -Force -EnableException -Confirm:$false Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''" -EnableException -Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert ENCRYPTION BY PASSWORD = '' WITH SUBJECT = 'AG Certificate'" -EnableException +Invoke-DbaQuery -SqlInstance $sqlinstance -Query "CREATE CERTIFICATE dbatoolsci_AGCert WITH SUBJECT = 'AG Certificate'" -EnableException $loginName = "$env:COMPUTERNAME\$env:USERNAME" $login = Get-DbaLogin -SqlInstance $sqlinstance -Login $loginName