Set-DbaNetworkCertificate

Synopsis

Sets the network certificate for SQL Server instance

Description

Sets the network certificate for SQL Server instance in two possible ways. This setting is found in Configuration Manager.

Without the Certificate or Thumbprint parameter (Way One): Calls Test-DbaNetworkCertificate to retrieve
information about the currently configured certificate and available suitable certificates.
Returns without changes if the currently configured certificate is still valid.
Configures the suitable certificate if exactly one is available.
Fails if more than one or no suitable certificate is found.

With the Certificate or Thumbprint parameter (Way Two): Calls Test-DbaNetworkCertificate to retrieve
information about the currently configured certificate and available suitable certificates.
Returns without changes if the given certificate match the currently configured certificate that is still valid.
Configures the given certificate if it is returned as a suitable certificate.
If the given certificate is not returned as a suitable certificate, the command gets detailed information
about why the given certificate is not suitable and fails with that information.

This command also grants read permissions for the service account on the certificate’s private key.

The currently configured certificate can be unset by using the parameter -UnsetCertificate.

References:
https://www.itprotoday.com/sql-server/7-steps-ssl-encryption
https://azurebi.jppp.org/2016/01/23/using-lets-encrypt-certificates-for-secure-sql-server-connections/
https://blogs.msdn.microsoft.com/sqlserverfaq/2016/09/26/creating-and-registering-ssl-certificates/
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/certificate-requirements

Syntax

Set-DbaNetworkCertificate
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-Credential] <PSCredential>]
    [[-Certificate] <X509Certificate2>]
    [[-Thumbprint] <String>]
    [-UnsetCertificate]
    [-RestartService]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> New-DbaComputerCertificate | Set-DbaNetworkCertificate -SqlInstance localhost\SQL2008R2SP2

Creates and imports a new certificate signed by an Active Directory CA on localhost then sets the network certificate for the SQL2008R2SP2 to that newly created certificate.

Example: 2

PS C:\> Set-DbaNetworkCertificate -SqlInstance localhost\SQL2008R2SP2

Sets the network certificate for the SQL2008R2SP2 instance if exactly one suitable certificate is found.

Example: 3

PS C:\> Set-DbaNetworkCertificate -SqlInstance sql1\SQL2008R2SP2 -Thumbprint 1223FB1ACBCA44D3EE9640F81B6BA14A92F3D6E2

Sets the network certificate for the SQL2008R2SP2 instance to the certificate with the thumbprint of 1223FB1ACBCA44D3EE9640F81B6BA14A92F3D6E2 in LocalMachine\My on sql1

Example: 4

PS C:\> Set-DbaNetworkCertificate -SqlInstance localhost\SQL2008R2SP2 -UnsetCertificate -RestartService

Unsets the network certificate for the SQL2008R2SP2 instance and restarts the SQL Server service.

Optional Parameters

-SqlInstance

The target SQL Server instance or instances. Defaults to localhost.

-Credential

Allows you to login to the computer (not sql instance) using alternative credentials.

-Certificate

Specifies the X509Certificate2 object to configure as the network certificate for SQL Server.
Use this when piping certificate objects from other dbatools commands like New-DbaComputerCertificate.
The certificate must exist in the LocalMachine certificate store and have a private key for SQL Server to use it for SSL connections.

-Thumbprint

Specifies the thumbprint (SHA-1 hash) of the certificate to configure as the network certificate.
Use this when you know the specific certificate thumbprint from certificates already installed in LocalMachine\My.
Must be a 40-character hexadecimal string (no spaces). The certificate must have a private key and the SQL Server
service account will be granted read permissions to it.

-UnsetCertificate

Unsets the currently configured network certificate for the SQL Server instance.
This will remove the certificate configuration, and SQL Server will not use any certificate for SSL connections.

-RestartService

Forces an automatic restart of the SQL Server service after setting the network certificate.
Certificate changes require a service restart to take effect - without this switch you’ll need to manually restart SQL Server.
Use this when you want the SSL configuration to be immediately active, but be aware it will cause a brief service interruption.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.

-WhatIf

Shows what would happen if the command were to run. No actions are actually performed.

-Confirm

Prompts you for confirmation before executing any changing operations within the command.

Outputs

PSCustomObject

Returns one object per SQL Server instance processed, containing the following properties:

• ComputerName: The name of the computer where the SQL Server instance is hosted
• InstanceName: The SQL Server instance name (e.g., MSSQLSERVER, SQL2008R2SP2)
• SqlInstance: The full SQL Server instance name (computer\instance)
• ServiceAccount: The service account running the SQL Server instance
• CertificateThumbprint: The SHA-1 thumbprint of the newly configured certificate in lowercase
• Notes: Summary of actions performed, including whether an old certificate was replaced