BACKUP CERTIFICATE (Transact-SQL)

**APPLIES TO:** ![yes](media/yes.png)SQL Server (starting with 2008) ![no](media/no.png)Azure SQL Database ![no](media/no.png)Azure SQL Data Warehouse ![yes](media/yes.png)Parallel Data Warehouse

Exports a certificate to a file.

link icon Transact-SQL Syntax Conventions

Syntax

-- Syntax for SQL Server  
  
BACKUP CERTIFICATE certname TO FILE = 'path_to_file'  
    [ WITH PRIVATE KEY   
      (   
        FILE = 'path_to_private_key_file' ,  
        ENCRYPTION BY PASSWORD = 'encryption_password'   
        [ , DECRYPTION BY PASSWORD = 'decryption_password' ]   
      )   
    ]  
-- Syntax for Parallel Data Warehouse  
  
BACKUP CERTIFICATE certname TO FILE ='path_to_file'  
      WITH PRIVATE KEY   
      (   
        FILE ='path_to_private_key_file',  
        ENCRYPTION BY PASSWORD ='encryption_password'   
      )

Arguments

path_to_file
Specifies the complete path, including file name, of the file in which the certificate is to be saved. This path can be a local path or a UNC path to a network location. The default is the path of the SQL Server DATA folder.

path_to_private_key_file
Specifies the complete path, including file name, of the file in which the private key is to be saved. This path can be a local path or a UNC path to a network location. The default is the path of the SQL Server DATA folder.

encryption_password
Is the password that is used to encrypt the private key before writing the key to the backup file. The password is subject to complexity checks.

decryption_password
Is the password that is used to decrypt the private key before backing up the key. This argument is not necessary if the certificate is encrypted by the master key.

Remarks

If the private key is encrypted with a password in the database, the decryption password must be specified.

When you back up the private key to a file, encryption is required. The password used to protect the certificate is not the same password that is used to encrypt the private key of the certificate.

To restore a backed up certificate, use the CREATE CERTIFICATEstatement.

When performing a backup, the files will be ACLd to the service account of the SQL Server instance. If you need to restore the certificate to a server running under a different account, you will need to adjust the permissions on the files so that they are able to be read by the new account.

Permissions

Requires CONTROL permission on the certificate and knowledge of the password that is used to encrypt the private key. If only the public part of the certificate is backed up, this command requires some permission on the certificate and that the caller has not been denied VIEW permission on the certificate.

Examples

A. Exporting a certificate to a file

The following example exports a certificate to a file.

BACKUP CERTIFICATE sales05 TO FILE = 'c:\storedcerts\sales05cert';  
GO

B. Exporting a certificate and a private key

In the following example, the private key of the certificate that is backed up will be encrypted with the password 997jkhUbhk$w4ez0876hKHJH5gh.

BACKUP CERTIFICATE sales05 TO FILE = 'c:\storedcerts\sales05cert'  
    WITH PRIVATE KEY ( FILE = 'c:\storedkeys\sales05key' ,   
    ENCRYPTION BY PASSWORD = '997jkhUbhk$w4ez0876hKHJH5gh' );  
GO

C. Exporting a certificate that has an encrypted private key

In the following example, the private key of the certificate is encrypted in the database. The private key must be decrypted with the password 9875t6#6rfid7vble7r. When the certificate is stored to the backup file, the private key will be encrypted with the password 9n34khUbhk$w4ecJH5gh.

BACKUP CERTIFICATE sales09 TO FILE = 'c:\storedcerts\sales09cert'   
    WITH PRIVATE KEY ( DECRYPTION BY PASSWORD = '9875t6#6rfid7vble7r' ,  
    FILE = 'c:\storedkeys\sales09key' ,   
    ENCRYPTION BY PASSWORD = '9n34khUbhk$w4ecJH5gh' );  
GO

See Also

CREATE CERTIFICATE (Transact-SQL)
ALTER CERTIFICATE (Transact-SQL)
DROP CERTIFICATE (Transact-SQL)