dbatoolsGet-DbaNetworkEncryption
View SourceSynopsis
Retrieves the TLS/SSL certificate presented by a SQL Server instance over the network.
Description
Connects directly to a SQL Server instance’s TCP port and retrieves the TLS/SSL certificate
that the server presents during the TLS handshake. This does not require Windows host access
or WinRM - it works purely over the network like a client connecting to SQL Server.
This complements Get-DbaNetworkCertificate, which reads the configured certificate from the
Windows registry (requires WinRM). This command instead shows what certificate is actually
being presented to clients over the network, without requiring any host-level access.
For named instances, the SQL Browser service is queried on UDP port 1434 to determine the
TCP port number. For default instances, port 1433 is used unless overridden.
Syntax
Get-DbaNetworkEncryption
[-SqlInstance] <DbaInstanceParameter[]>
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Get-DbaNetworkEncryption -SqlInstance sql2016
Retrieves the TLS certificate presented by the default SQL Server instance on sql2016.
Example: 2
PS C:\> Get-DbaNetworkEncryption -SqlInstance sql2016\sqlexpress
Retrieves the TLS certificate presented by the named instance sqlexpress on sql2016.
Queries the SQL Browser service to determine the port.
Example: 3
PS C:\> Get-DbaNetworkEncryption -SqlInstance sql2016, sql2017, sql2019 | Select-Object SqlInstance, Subject, Expires, Thumbprint
Retrieves certificates from multiple SQL Server instances and shows key certificate details.
Example: 4
PS C:\> $servers | Get-DbaNetworkEncryption | Where-Object { $_.Expires -lt (Get-Date).AddDays(30) }
Finds SQL Server instances whose TLS certificates expire within the next 30 days.
Required Parameters
-SqlInstance
The target SQL Server instance or instances. Accepts pipeline input.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
Optional Parameters
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Outputs
PSCustomObject
Returns one object per SQL Server instance that successfully presents a TLS certificate.
Properties:
- ComputerName: The hostname of the SQL Server
- InstanceName: The SQL Server instance name (MSSQLSERVER for default)
- SqlInstance: The full SQL Server instance identifier
- Subject: The certificate subject (Common Name)
- Issuer: The certificate issuer
- Thumbprint: SHA-1 hash thumbprint of the certificate
- NotBefore: DateTime when the certificate becomes valid
- Expires: DateTime when the certificate expires
- DnsNameList: Array of DNS names from the Subject Alternative Names extension
- SerialNumber: Certificate serial number
- Certificate: The full X509Certificate2 object