I have written about creating a certificate and backing up a certificate, and the next step is the restoration of a certificate into a server instance. This post covers the basics of restoring a certificate.
There is no RESTORE CERTIFICATE command because the CREATE CERTIFICATE command accomplishes the same thing. It is expected that many people will get a certificate from another company that is a trusted provider, and in that case, they would create their SQL Server internal certificates from the files provided by the vendor.
However you get your certificate, it will come as two separate files. A .cer file, which is the public key for the certificate, and the .pvk file, for the private key of the certificate. These are the same files that are were created by the makecert.exe utility. They are also the files that were created by the backup in the last post.
To restore the certificate, you perform the same procedure as the CREATE CERTIFICATE. For my exported certificate, I’ll execute:
create certificate MySalaryCert from file = N'c:\EncryptionPrimer\MySalaryCert.cer' with private key ( file = N'c:\EncryptionPrimer\MySalaryCert.pvk' , decryption by password = N'AReallyStr0ngK#y4You' );
This will load both the public and private sides of the encryption key into SQL Server and you can view them with this DDL:
select name , certificate_id , pvt_key_encryption_type_desc , subject , expiry_date , start_date , thumbprint , pvt_key_last_backup_date from sys.certificates
This will show you the results. There are other fields here, but these are the ones I look at to check that this is the proper key. Note that on CREATE, the last backup date is NULL, even if you created this from a file.
Note that there are other uses for certificates in Windows. You can install them for IPSec, for SQL Server SSL communications, and more. If you use certificates for any purpose, be sure you can back them up, restore them, and properly manage passwords.
Filed under: Blog Tagged: encryption, security, sql server, syndicated