Server Certificate

[heaivilin]

Question

Hello,

In our environment, when using the DBATools, if we need to use the Connect-DbaInstance cmdlet with the -TrustServerCertificate flag for the tools to work. Example:

$ConnectionName = Connect-DbaInstance -SqlInstance $InstanceName -TrustServerCertificate

We use the same method when doing the dbachecks, which in general work, but there are some items that it doesn't seem to work for.

My question is this: "Is there a more effective way to do ensure that TrustedServerCertificate is being used across all connections? e.g. is there a way to use a variable/setting to handle this?"

[mike-hodgson]

Hi @heaivilin.

I don't know if it will work with all dbatools commands, but I believe the variable you're after is "sql.connection.trustcert":

Get-DbatoolsConfig -FullName sql.connection.trustcert

Have you tried setting that to $true? @potatoqualitee mentioned it briefly about half way down this page:
https://blog.netnerds.net/2023/03/new-defaults-for-sql-server-connections-encryption-trust-certificate/

"sql.connection.encrypt" is another related variable, if you'd like to disable the encryption entirely for your connections to SQL instances.

There's also a handy command to go "insecure" for the current user/environment (which just sets those 2 variables I believe):
Set-DbatoolsInsecureConnection

[heaivilin]

This did solve the issue. Specifically, I added the Set-DbatoolsInsecureConnection -SessionOnly at the top of my script and I no longer get the cert chain error.

[SQLDBAWithABeard]

@mike-hodgson is correct. Thank you Mike

[SQLDBAWithABeard]

Does that resolve your question @heaivilin ?