| Author | Jess Pomfret (@jpomfret), jesspomfret.com |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Restore-DbaDbCertificate on GitHub.
Want to see the Bill Of Health for this command? Check out Restore-DbaDbCertificate.
Restores database certificates from .cer and .pvk files into SQL Server databases.
Restores database certificates and their associated private keys from backup files into SQL Server databases. This function is essential for recovering certificates used in TDE (Transparent Data Encryption), backup encryption, Always Encrypted, and other SQL Server security features after database migrations, disaster recovery, or server rebuilds.
The function automatically locates matching private key files (.pvk) for each certificate (.cer) when processing directories, or you can specify key file paths explicitly. Handles password-protected private keys with secure credential management, and allows you to re-encrypt keys during the restore process if needed.
Restore-DbaDbCertificate
[-SqlInstance] <DbaInstanceParameter>
[[-SqlCredential] <PSCredential>]
[-Path] <String[]>
[[-KeyFilePath] <String[]>]
[[-EncryptionPassword] <SecureString>]
[[-Database] <String>]
[[-Name] <String>]
[[-DecryptionPassword] <SecureString>]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> $securepass = Get-Credential usernamedoesntmatter | Select-Object -ExpandProperty Password
PS C:\> Restore-DbaDbCertificate -SqlInstance Server1 -Path \\Server1\Certificates -DecryptionPassword $securepass
Restores all the certificates in the specified path, password is used to both decrypt and encrypt the private key.
PS C:\> Restore-DbaDbCertificate -SqlInstance Server1 -Path \\Server1\Certificates\DatabaseTDE.cer -DecryptionPassword (Get-Credential usernamedoesntmatter).Password
Restores the DatabaseTDE certificate to Server1 and uses the MasterKey to encrypt the private key.
The target SQL Server instance or instances.
| Alias | |
| Required | True |
| Pipeline | false |
| Default Value |
Specifies the file system path to certificate files (.cer) or a directory containing multiple certificates. When pointing to a directory, the function processes all .cer files found within it.
Use this to restore certificates from your certificate backup location after disaster recovery or server migrations.
| Alias | FullName,ExportPath |
| Required | True |
| Pipeline | true (ByPropertyName) |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies the path to the private key file (.pvk) associated with the certificate. If not provided, the function automatically searches for a matching .pvk file in the same directory as the
certificate.
Only specify this when your private key files are stored in a different location from your certificate files.
| Alias | Key |
| Required | False |
| Pipeline | true (ByPropertyName) |
| Default Value |
Sets a new password to encrypt the private key after restoration to SQL Server. If not specified, the restored certificate will be encrypted with the database master key.
Use this when you want to change the private key encryption method or set a specific password for the restored certificate.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies the target database where the certificate will be restored. Defaults to the master database if not specified.
Use this when restoring certificates for specific database features like TDE, Always Encrypted, or application-specific encryption within user databases.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | master |
Specifies a custom name for the restored certificate in SQL Server. If not provided, the function derives the name from the certificate file name, removing instance and database prefixes.
Use this when you need the certificate to have a specific name that differs from the backup file naming convention.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Provides the password required to decrypt the private key file (.pvk) during certificate restoration. This password was set when the certificate was originally backed up.
Required for all certificate restores since private keys are encrypted by default when exported from SQL Server.
| Alias | Password,SecurePassword |
| Required | False |
| Pipeline | false |
| Default Value | (Read-Host "Decryption password" -AsSecureString) |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Shows what would happen if the command were to run. No actions are actually performed.
| Alias | wi |
| Required | False |
| Pipeline | false |
| Default Value |
Prompts you for confirmation before executing any changing operations within the command.
| Alias | cf |
| Required | False |
| Pipeline | false |
| Default Value |