< Back
New-DbaComputerCertificate
Post
NAME New-DbaComputerCertificate
SYNOPSIS
Creates a new computer certificate useful for Forcing Encryption
SYNTAX
New-DbaComputerCertificate [[-ComputerName] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]>]
[[-Credential] <Pscredential>] [[-CaServer] <String>] [[-CaName] <String>] [[-ClusterInstanceName] <String>]
[[-SecurePassword] <Securestring>] [[-FriendlyName] <String>] [[-CertificateTemplate] <String>] [[-KeyLength]
<Int>] [[-Store] <String>] [[-Folder] <String>] [[-Dns] <System.String[]>] [-SelfSigned <Switch>]
[-EnableException <Switch>] [<CommonParameters>]
DESCRIPTION
Creates a new computer certificate - self-signed or signed by an Active Directory CA, using the Web Server
certificate.
By default, a key with a length of 1024 and a friendly name of the machines FQDN is generated.
This command was originally intended to help automate the process so that SSL certificates can be available for
enforcing encryption on connections.
It makes a lot of assumptions - namely, that your account is allowed to auto-enroll and that you have permission
to do everything it needs to do
References:
http://sqlmag.com/sql-server/7-steps-ssl-encryption
https://azurebi.jppp.org/2016/01/23/usi ... nnections/
https://blogs.msdn.microsoft.com/sqlser ... tificates/
The certificate is generated using AD's webserver SSL template on the client machine and pushed to the remote
machine.
PARAMETERS
-CaName [<String>]
The properly formatted CA name of the corresponding CaServer
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-CaServer [<String>]
Optional - the CA Server where the request will be sent to
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-CertificateTemplate [<String>]
The domain's Certificate Template - WebServer by default.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-ClusterInstanceName [<String>]
When creating certs for a cluster, use this parameter to create the certificate for the cluster node name. Use
ComputerName for each of the nodes.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-ComputerName [<Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]>]
The target SQL Server instance or instances. Defaults to localhost. If target is a cluster, you must also
specify ClusterInstanceName (see below)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Credential [<Pscredential>]
Allows you to login to $ComputerName using alternative credentials.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Dns [<System.String[]>]
Specify the Dns entries listed in SAN. By default, it will be ComputerName + FQDN, or in the case of clusters,
clustername + cluster FQDN.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-EnableException [<Switch>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Folder [<String>]
Certificate folder - defaults to My (Personal)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-FriendlyName [<String>]
The FriendlyName listed in the certificate. This defaults to the FQDN of the $ComputerName
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-KeyLength [<Int>]
The length of the key - defaults to 1024
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SecurePassword [<Securestring>]
Password to encrypt/decrypt private key for export to remote machine
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SelfSigned [<Switch>]
Creates a self-signed certificate. All other parameters can still apply except CaServer and CaName because the
command does not go and get the certificate signed.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Store [<String>]
Certificate store - defaults to LocalMachine
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: Certificate
Author: Chrissy LeMaire (@cl), netnerds.net
Website: https://dbatools.io
Copyright: (c) 2018 by dbatools, licensed under MIT
License: MIT https://opensource.org/licenses/MIT
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-DbaComputerCertificate
Creates a computer certificate signed by the local domain CA for the local machine with the keylength of 1024.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>New-DbaComputerCertificate -ComputerName Server1
Creates a computer certificate signed by the local domain CA _on the local machine_ for server1 with the keylength
of 1024.
The certificate is then copied to the new machine over WinRM and imported.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>New-DbaComputerCertificate -ComputerName sqla, sqlb -ClusterInstanceName sqlcluster -KeyLength 4096
Creates a computer certificate for sqlcluster, signed by the local domain CA, with the keylength of 4096.
The certificate is then copied to sqla _and_ sqlb over WinRM and imported.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>New-DbaComputerCertificate -ComputerName Server1 -WhatIf
Shows what would happen if the command were run
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>New-DbaComputerCertificate -SelfSigned
Creates a self-signed certificate
RELATED LINKS
SYNOPSIS
Creates a new computer certificate useful for Forcing Encryption
SYNTAX
New-DbaComputerCertificate [[-ComputerName] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]>]
[[-Credential] <Pscredential>] [[-CaServer] <String>] [[-CaName] <String>] [[-ClusterInstanceName] <String>]
[[-SecurePassword] <Securestring>] [[-FriendlyName] <String>] [[-CertificateTemplate] <String>] [[-KeyLength]
<Int>] [[-Store] <String>] [[-Folder] <String>] [[-Dns] <System.String[]>] [-SelfSigned <Switch>]
[-EnableException <Switch>] [<CommonParameters>]
DESCRIPTION
Creates a new computer certificate - self-signed or signed by an Active Directory CA, using the Web Server
certificate.
By default, a key with a length of 1024 and a friendly name of the machines FQDN is generated.
This command was originally intended to help automate the process so that SSL certificates can be available for
enforcing encryption on connections.
It makes a lot of assumptions - namely, that your account is allowed to auto-enroll and that you have permission
to do everything it needs to do
References:
http://sqlmag.com/sql-server/7-steps-ssl-encryption
https://azurebi.jppp.org/2016/01/23/usi ... nnections/
https://blogs.msdn.microsoft.com/sqlser ... tificates/
The certificate is generated using AD's webserver SSL template on the client machine and pushed to the remote
machine.
PARAMETERS
-CaName [<String>]
The properly formatted CA name of the corresponding CaServer
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-CaServer [<String>]
Optional - the CA Server where the request will be sent to
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-CertificateTemplate [<String>]
The domain's Certificate Template - WebServer by default.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-ClusterInstanceName [<String>]
When creating certs for a cluster, use this parameter to create the certificate for the cluster node name. Use
ComputerName for each of the nodes.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-ComputerName [<Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]>]
The target SQL Server instance or instances. Defaults to localhost. If target is a cluster, you must also
specify ClusterInstanceName (see below)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Credential [<Pscredential>]
Allows you to login to $ComputerName using alternative credentials.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Dns [<System.String[]>]
Specify the Dns entries listed in SAN. By default, it will be ComputerName + FQDN, or in the case of clusters,
clustername + cluster FQDN.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-EnableException [<Switch>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Folder [<String>]
Certificate folder - defaults to My (Personal)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-FriendlyName [<String>]
The FriendlyName listed in the certificate. This defaults to the FQDN of the $ComputerName
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-KeyLength [<Int>]
The length of the key - defaults to 1024
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SecurePassword [<Securestring>]
Password to encrypt/decrypt private key for export to remote machine
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SelfSigned [<Switch>]
Creates a self-signed certificate. All other parameters can still apply except CaServer and CaName because the
command does not go and get the certificate signed.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Store [<String>]
Certificate store - defaults to LocalMachine
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: Certificate
Author: Chrissy LeMaire (@cl), netnerds.net
Website: https://dbatools.io
Copyright: (c) 2018 by dbatools, licensed under MIT
License: MIT https://opensource.org/licenses/MIT
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-DbaComputerCertificate
Creates a computer certificate signed by the local domain CA for the local machine with the keylength of 1024.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>New-DbaComputerCertificate -ComputerName Server1
Creates a computer certificate signed by the local domain CA _on the local machine_ for server1 with the keylength
of 1024.
The certificate is then copied to the new machine over WinRM and imported.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>New-DbaComputerCertificate -ComputerName sqla, sqlb -ClusterInstanceName sqlcluster -KeyLength 4096
Creates a computer certificate for sqlcluster, signed by the local domain CA, with the keylength of 4096.
The certificate is then copied to sqla _and_ sqlb over WinRM and imported.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>New-DbaComputerCertificate -ComputerName Server1 -WhatIf
Shows what would happen if the command were run
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>New-DbaComputerCertificate -SelfSigned
Creates a self-signed certificate
RELATED LINKS