Execution Flow
A SQL Server service restart is always required for the new certificate to take effect — either via
-Restart or manually. Without a restart, the old certificate (or the self-signed one) remains active.Supports both CSP private keys (stored in
MachineKeys) and CNG private keys (stored in Crypto\Keys). Spaces are stripped from the -Thumbprint value automatically. Does not require dbatools — uses only registry and WMI.Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| -SqlInstance | String | Optional | SQL instance name. For default instance use the computer name. For named instances: COMPUTER\INSTANCE. Default: $env:COMPUTERNAME. |
| -Thumbprint | String | Required | Certificate thumbprint (hex string). Spaces stripped automatically. Must match a cert in Cert:\LocalMachine\My. |
| -ForceEncryption | Switch | Optional | Sets ForceEncryption=1 in the SuperSocketNetLib registry key, requiring all connections to use TLS. |
| -Restart | Switch | Optional | Restarts the SQL Server service automatically after the registry change. |
| -WhatIf / -Confirm | Switch | Optional | Standard ShouldProcess support. |
Return Value
Returns a PSCustomObject with: SqlInstance, Thumbprint, CertSubject, CertExpiry, ServiceAccount, ForceEncryption, ServiceRestarted, Status, Message.
Examples
Example 1 — Bind certificate to default instance
Set-sqmSqlTlsCertificate -SqlInstance "SQL01" -Thumbprint "A1B2C3D4E5F6..."
Example 2 — Named instance, Force Encryption, auto-restart
Set-sqmSqlTlsCertificate -SqlInstance "SQL01\INST1" -Thumbprint "A1B2C3D4E5F6..." -ForceEncryption -Restart