Backup-DbaDbCertificate: Don't use decryption password if certificate is encrypted by the database master key (#10329)

andreasjordan · web-flow · commit 0c486b964388 · 2026-04-09T23:58:41.000+02:00
diff --git a/public/Backup-DbaDbCertificate.ps1 b/public/Backup-DbaDbCertificate.ps1
@@ -225,15 +225,24 @@ function Backup-DbaDbCertificate {
 
                     # because the password shouldn't go to memory...
                     if ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -gt 0) {
-
-                        Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk."
-
-                        $cert.export(
-                            $exportPathCert,
-                            $exportPathKey,
-                            ($EncryptionPassword | ConvertFrom-SecurePass),
-                            ($DecryptionPassword | ConvertFrom-SecurePass)
-                        )
+                        if ($cert.PrivateKeyEncryptionType -eq [Microsoft.SqlServer.Management.Smo.PrivateKeyEncryptionType]::MasterKey) {
+                            Write-Message -Level Verbose -Message "Both passwords passed in but private key of $certName is encrypted by the database master key. DecryptionPassword will be ignored."
+
+                            $cert.export(
+                                $exportPathCert,
+                                $exportPathKey,
+                                ($EncryptionPassword | ConvertFrom-SecurePass)
+                            )
+                        } else {
+                            Write-Message -Level Verbose -Message "Both passwords passed in. Will export both cer and pvk."
+
+                            $cert.export(
+                                $exportPathCert,
+                                $exportPathKey,
+                                ($EncryptionPassword | ConvertFrom-SecurePass),
+                                ($DecryptionPassword | ConvertFrom-SecurePass)
+                            )
+                        }
                     } elseif ($EncryptionPassword.Length -gt 0 -and $DecryptionPassword.Length -eq 0) {
                         Write-Message -Level Verbose -Message "Only encryption password passed in. Will export both cer and pvk."
 
diff --git a/tests/Backup-DbaDbCertificate.Tests.ps1 b/tests/Backup-DbaDbCertificate.Tests.ps1
@@ -149,8 +149,9 @@ Describe $CommandName -Tag IntegrationTests {
             }
             $results = Backup-DbaDbCertificate @splatBackupAllCerts
 
-            $results | Should -HaveCount 3
-            $results.Certificate | Should -Be $cert1.Name, $cert2.Name, $cert3.Name
+            $results.Certificate | Should -Contain $cert1.Name
+            $results.Certificate | Should -Contain $cert2.Name
+            $results.Certificate | Should -Contain $cert3.Name
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -149,8 +149,9 @@ Describe $CommandName -Tag IntegrationTests {`
`149`	`149`	`}`
`150`	`150`	`$results = Backup-DbaDbCertificate @splatBackupAllCerts`
`151`	`151`
`152`		`- $results \| Should -HaveCount 3`
`153`		`- $results.Certificate \| Should -Be $cert1.Name, $cert2.Name, $cert3.Name`
	`152`	`+ $results.Certificate \| Should -Contain $cert1.Name`
	`153`	`+ $results.Certificate \| Should -Contain $cert2.Name`
	`154`	`+ $results.Certificate \| Should -Contain $cert3.Name`
`154`	`155`	`}`
`155`	`156`	`}`
`156`	`157`	`}`