Imports a certificate (PFX, CER+PVK, or CER-only) into SQL Server via CREATE CERTIFICATE … FROM FILE and automatically binds it to its purpose: AlwaysOn endpoint, TDE database, SSL/TLS network configuration, or Service Broker endpoint. Writes a detailed installation protocol as TXT.
Execution Flow
Synopsis
Supports three input formats — PFX (certificate + private key), CER+PVK (separate files), and CER-only (public key). Certificate metadata is validated before import; expired certificates trigger a warning but are not blocked. SQL import uses Invoke-DbaQuery with a dynamically generated CREATE CERTIFICATE statement built by the private helper New-sqmCertImportSql. Each purpose triggers a specific binding step after import. The TXT protocol includes purpose-specific next-step instructions (replica distribution for AlwaysOn, mandatory backup command for TDE, service-restart reminder for SSL).
SSL binding via -SetSqlServerSslCert requires a SQL Server service restart. AlwaysOn: the public key certificate must be installed on every replica using Install-sqmCertificate -Purpose AlwaysOn. TDE certificates must be backed up immediately after installation.
Requires dbatools. SupportsShouldProcess with ConfirmImpact=High. The backward-compatibility alias Build-sqmCertImportSql maps to the private helper New-sqmCertImportSql.
Supported Purposes
Purpose
Binding Action
Notes
AlwaysOn
ALTER ENDPOINT … AUTHENTICATION = CERTIFICATE
Endpoint auto-detected from sys.database_mirroring_endpoints. Public key (.cer) must be distributed to all replicas.
TDE
ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER CERTIFICATE
Requires private key. TDE DB auto-detected when exactly one is encrypted.
SSL
Windows store import + Registry thumbprint
Forces -ImportToWindowsStore. Requires SQL Server service restart.