commands

^

Add-DbaComputerCertificate

Author Chrissy LeMaire (@cl), netnerds.net
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out Add-DbaComputerCertificate on GitHub.
Want to see the Bill Of Health for this command? Check out Add-DbaComputerCertificate.

Synopsis

Imports X.509 certificates into the Windows certificate store on local or remote computers.

Description

Imports X.509 certificates (including password-protected .pfx files with private keys) into the specified Windows certificate store on one or more computers. This function is essential for SQL Server TLS/SSL encryption setup, Availability Group certificate requirements, and Service Broker security configurations.

The function handles both certificate files from disk and certificate objects from the pipeline, supports remote installation via PowerShell remoting, and allows you to control import behavior through various flags like exportable/non-exportable private keys. By default, certificates are installed to the LocalMachine\My (Personal) store with exportable and persistent private keys, which is the standard location for SQL Server service certificates.

Syntax

Add-DbaComputerCertificate
    [[-ComputerName] <DbaInstanceParameter[]>]
    [[-Credential] <PSCredential>]
    [[-SecurePassword] <SecureString>]
    [[-Certificate] <X509Certificate2[]>]
    [[-Path] <String>]
    [[-Store] <String>]
    [[-Folder] <String>]
    [[-Flag] <String[]>]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> Add-DbaComputerCertificate -ComputerName Server1 -Path C:\temp\cert.cer

Adds the local C:\temp\cert.cer to the remote server Server1 in LocalMachine\My (Personal).

Example: 2
PS C:\> Add-DbaComputerCertificate -Path C:\temp\cert.cer

Adds the local C:\temp\cert.cer to the local computer's LocalMachine\My (Personal) certificate store.

Example: 3
PS C:\> Add-DbaComputerCertificate -Path C:\temp\cert.cer

Adds the local C:\temp\cert.cer to the local computer's LocalMachine\My (Personal) certificate store.

Example: 4
PS C:\> Add-DbaComputerCertificate -ComputerName sql01 -Path C:\temp\sql01.pfx -Confirm:$false -Flag NonExportable

Adds the local C:\temp\sql01.pfx to sql01's LocalMachine\My (Personal) certificate store and marks the private key as non-exportable. Skips confirmation prompt.

Optional Parameters

-ComputerName

The target computer or computers where certificates will be installed. Accepts server names, FQDNs, or IP addresses.
Use this when installing certificates on remote SQL Server hosts or cluster nodes. Defaults to localhost when not specified.

Alias
Required False
Pipeline false
Default Value $env:COMPUTERNAME
-Credential

Allows you to login to $ComputerName using alternative credentials.

Alias
Required False
Pipeline false
Default Value
-SecurePassword

The password for encrypted certificate files (.pfx files with private keys). Required when importing password-protected certificates.
Use this when installing SSL certificates or Service Broker certificates that were exported with password protection.

Alias Password
Required False
Pipeline false
Default Value
-Certificate

A certificate object from the pipeline or PowerShell variable. Accepts X509Certificate2 objects from Get-ChildItem Cert:\ or other certificate commands.
Use this when you already have certificate objects loaded in memory rather than reading from disk files.

Alias
Required False
Pipeline true (ByValue)
Default Value
-Path

The local file path to the certificate file (.cer, .crt, .pfx, .p12). The file must be accessible from the machine running the command.
Specify this when installing certificates from files on disk, commonly used for SSL certificates or custom CA certificates.

Alias
Required False
Pipeline false
Default Value
-Store

The certificate store location where certificates will be installed. Options are LocalMachine (system-wide) or CurrentUser (user-specific).
Use LocalMachine for SQL Server service certificates and system certificates that need to be available to services. Defaults to LocalMachine.

Alias
Required False
Pipeline false
Default Value LocalMachine
-Folder

The certificate store folder within the specified store. Common folders include My (Personal), Root (Trusted Root), and CA (Intermediate).
Use My for SQL Server SSL certificates and Service Broker certificates. Defaults to My which is the Personal certificate store.

Alias
Required False
Pipeline false
Default Value My
-Flag

Controls how certificate private keys are stored and accessed in the Windows certificate store. Determines security and accessibility characteristics.
Use NonExportable for production SQL Server certificates to prevent private key extraction. Use Exportable when you need to back up or migrate certificates.
Defaults to: Exportable, PersistKeySet
EphemeralKeySet
The key associated with a PFX file is created in memory and not persisted on disk when importing a certificate.
Exportable
Imported keys are marked as exportable.
NonExportable
Expliictly mark keys as nonexportable.
PersistKeySet
The key associated with a PFX file is persisted when importing a certificate.
UserProtected
Notify the user through a dialog box or other method that the key is accessed. The Cryptographic Service Provider (CSP) in use defines the precise behavior. NOTE: This can only be used when you
add a certificate to localhost, as it causes a prompt to appear.

Alias
Required False
Pipeline false
Default Value @("Exportable", "PersistKeySet")
Accepted Values EphemeralKeySet,Exportable,PersistKeySet,UserProtected,NonExportable
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False
-WhatIf

If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.

Alias wi
Required False
Pipeline false
Default Value
-Confirm

If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.

Alias cf
Required False
Pipeline false
Default Value