Merge pull request #1976 from srutzky/patch-5

Fix missing / misleading statements, and formatting for BACKUP CERTIFICATE

Author: Jak-MS

docs/t-sql/statements/backup-certificate-transact-sql.md

@@ -1,7 +1,7 @@
 ---
 title: "BACKUP CERTIFICATE (Transact-SQL) | Microsoft Docs"
 ms.custom: ""
-ms.date: "10/04/2018"
+ms.date: "04/23/2019"
 ms.prod: sql
 ms.prod_service: "sql-data-warehouse, pdw, sql-database"
 ms.reviewer: ""
@@ -64,24 +64,34 @@ BACKUP CERTIFICATE certname TO FILE ='path_to_file'
 ```  
 
 ## Arguments  
- *path_to_file*  
- Specifies the complete path, including file name, of the file in which the certificate is to be saved. This path can be a local path or a UNC path to a network location. The default is the path of the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] DATA folder.  
-  
- *path_to_private_key_file*  
- Specifies the complete path, including file name, of the file in which the private key is to be saved. This path can be a local path or a UNC path to a network location. The default is the path of the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] DATA folder.  
+ *certname*  
+ Is the name of the certificate to backup.
+
+ TO FILE = '*path_to_file*'  
+ Specifies the complete path, including file name, of the file in which the certificate is to be saved. This path can be a local path or a UNC path to a network location. If only a file name is specified, the file will be saved in the instance's default user data folder (which may or may not be the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] DATA folder). For SQL Server Express LocalDB, the instance's default user data folder is the path specified by the `%USERPROFILE%` environment variable for the account that created the instance.  
+
+ WITH PRIVATE KEY
+ Specifies that the private key of the certificate is to be saved to a file. This clause is optional.
+
+ FILE = '*path_to_private_key_file*'  
+ Specifies the complete path, including file name, of the file in which the private key is to be saved. This path can be a local path or a UNC path to a network location. If only a file name is specified, the file will be saved in the instance's default user data folder (which may or may not be the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] DATA folder). For SQL Server Express LocalDB, the instance's default user data folder is the path specified by the `%USERPROFILE%` environment variable for the account that created the instance.  
 
- *encryption_password*  
+ ENCRYPTION BY PASSWORD = '*encryption_password*'  
  Is the password that is used to encrypt the private key before writing the key to the backup file. The password is subject to complexity checks.  
 
- *decryption_password*  
+ DECRYPTION BY PASSWORD = '*decryption_password*'  
  Is the password that is used to decrypt the private key before backing up the key. This argument is not necessary if the certificate is encrypted by the master key. 
 
 ## Remarks  
  If the private key is encrypted with a password in the database, the decryption password must be specified.  
 
- When you back up the private key to a file, encryption is required. The password used to protect the certificate is not the same password that is used to encrypt the private key of the certificate.  
-  
- To restore a backed up certificate, use the [CREATE CERTIFICATE](../../t-sql/statements/create-certificate-transact-sql.md)statement.
+ When you back up the private key to a file, encryption is required. The password used to protect the private key in the file is not the same password that is used to encrypt the private key of the certificate in the database.  
+
+ Private keys are saved in the PVK file format.
+
+ To restore a backed up certificate, with or without the private key, use the [CREATE CERTIFICATE](../../t-sql/statements/create-certificate-transact-sql.md) statement.
+ 
+ To restore a private key to an existing certificate in the database, use the [ALTER CERTIFICATE](../../t-sql/statements/alter-certificate-transact-sql.md) statement.
 
  When performing a backup, the files will be ACLd to the service account of the SQL Server instance. If you need to restore the certificate to a server running under a different account, you will need to adjust the permissions on the files so that they are able to be read by the new account. 
 
@@ -123,6 +133,10 @@ GO
  [CREATE CERTIFICATE (Transact-SQL)](../../t-sql/statements/create-certificate-transact-sql.md)   
  [ALTER CERTIFICATE (Transact-SQL)](../../t-sql/statements/alter-certificate-transact-sql.md)   
  [DROP CERTIFICATE (Transact-SQL)](../../t-sql/statements/drop-certificate-transact-sql.md)  
+ [CERTENCODED (Transact-SQL)](../../t-sql/functions/certencoded-transact-sql.md)  
+ [CERTPRIVATEKEY (Transact-SQL)](../../t-sql/functions/certprivatekey-transact-sql.md)  
+ [CERT_ID (Transact-SQL)](../../t-sql/functions/cert-id-transact-sql.md)  
+ [CERTPROPERTY (Transact-SQL)](../../t-sql/functions/certproperty-transact-sql.md)