Merge pull request #1972 from srutzky/patch-4

 Fix missing / misleading statements, and formatting in CREATE and ALTER CERTIFICATE

Author: GitHubber17

docs/t-sql/statements/alter-certificate-transact-sql.md

@@ -1,7 +1,7 @@
 ---
 title: "ALTER CERTIFICATE (Transact-SQL) | Microsoft Docs"
 ms.custom: ""
-ms.date: "04/18/2019"
+ms.date: "04/22/2019"
 ms.prod: sql
 ms.prod_service: "database-engine, sql-database, sql-data-warehouse, pdw"
 ms.reviewer: ""
@@ -28,7 +28,7 @@ monikerRange: ">=aps-pdw-2016||=azuresqldb-current||=azure-sqldw-latest||>=sql-s
 # ALTER CERTIFICATE (Transact-SQL)
 [!INCLUDE[tsql-appliesto-ss2008-asdb-xxxx-pdw-md](../../includes/tsql-appliesto-ss2008-asdb-xxxx-pdw-md.md)]
 
-  Changes the private key used to encrypt a certificate, or adds one if none is present. Changes the availability of a certificate to [!INCLUDE[ssSB](../../includes/sssb-md.md)].  
+  Changes the password used to encrypt the private key of a certificate, removes the private key, or imports the private key if none is present. Changes the availability of a certificate to [!INCLUDE[ssSB](../../includes/sssb-md.md)].  
 
  ![Topic link icon](../../database-engine/configure-windows/media/topic-link.gif "Topic link icon") [Transact-SQL Syntax Conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md)  
 
@@ -39,13 +39,20 @@ monikerRange: ">=aps-pdw-2016||=azuresqldb-current||=azure-sqldw-latest||>=sql-s
   
 ALTER CERTIFICATE certificate_name   
       REMOVE PRIVATE KEY  
-    | WITH PRIVATE KEY ( <private_key_spec> [ ,... ] )  
-    | WITH ACTIVE FOR BEGIN_DIALOG = [ ON | OFF ]  
+    | WITH PRIVATE KEY ( <private_key_spec> )  
+    | WITH ACTIVE FOR BEGIN_DIALOG = { ON | OFF }  
   
 <private_key_spec> ::=   
-    [ FILE = 'path_to_private_key' | BINARY = private_key_bits ]
-    | DECRYPTION BY PASSWORD = 'key_password'   
-    | ENCRYPTION BY PASSWORD = 'password'   
+      {   
+        { FILE = 'path_to_private_key' | BINARY = private_key_bits }  
+         [ , DECRYPTION BY PASSWORD = 'current_password' ]  
+         [ , ENCRYPTION BY PASSWORD = 'new_password' ]  
+      }  
+    |  
+      {  
+         [ DECRYPTION BY PASSWORD = 'current_password' ]  
+         [ [ , ] ENCRYPTION BY PASSWORD = 'new_password' ]  
+      }  
 ```  
 
 ```  
@@ -62,24 +69,29 @@ ALTER CERTIFICATE certificate_name
 
 ## Arguments  
  *certificate_name*  
- Is the unique name by which the certificate is known in database.  
+ Is the unique name by which the certificate is known in the database.  
 
- FILE **='**_path\_to\_private\_key_**'**  
- Specifies the complete path, including file name, to the private key. This parameter can be a local path or a UNC path to a network location. This file will be accessed within the security context of the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] service account. When you use this option, you must make sure that the service account has access to the specified file.  
+ REMOVE PRIVATE KEY  
+ Specifies that the private key should no longer be maintained inside the database.  
+  
+ WITH PRIVATE KEY
+ Specifies that the private key of the certificate is loaded into SQL Server.
+
+ FILE ='*path_to_private_key*'  
+ Specifies the complete path, including file name, to the private key. This parameter can be a local path or a UNC path to a network location. This file will be accessed within the security context of the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] service account. When you use this option, make sure the service account has access to the specified file.
+ 
+ If only a file name is specified, the file is saved in the default user data folder for the instance. This folder might (or might not) be the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] DATA folder. For SQL Server Express LocalDB, the default user data folder for the instance is the path specified by the `%USERPROFILE%` environment variable for the account that created the instance.  
 
- BINARY **='**_private\_key\_bits_**'**  
+ BINARY ='*private_key_bits*'  
  **Applies to**: [!INCLUDE[ssSQL11](../../includes/sssql11-md.md)] through [!INCLUDE[ssCurrent](../../includes/sscurrent-md.md)].  
 
  Private key bits specified as binary constant. These bits can be in encrypted form. If encrypted, the user must provide a decryption password. Password policy checks are not performed on this password. The private key bits should be in a PVK file format.  
 
- DECRYPTION BY PASSWORD **='**_key\_password_**'**  
+ DECRYPTION BY PASSWORD ='*current_password*'  
  Specifies the password that is required to decrypt the private key.  
 
- ENCRYPTION BY PASSWORD **='**_password_**'**  
- Specifies the password used to encrypt the private key of the certificate in the database. *password* must meet the Windows password policy requirements of the computer that is running the instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. For more information, see [Password Policy](../../relational-databases/security/password-policy.md).  
-  
- REMOVE PRIVATE KEY  
- Specifies that the private key should no longer be maintained inside the database.  
+ ENCRYPTION BY PASSWORD ='*new_password*'  
+ Specifies the password used to encrypt the private key of the certificate in the database. *new_password* must meet the Windows password policy requirements of the computer that is running the instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. For more information, see [Password Policy](../../relational-databases/security/password-policy.md).  
 
  ACTIVE FOR BEGIN_DIALOG **=** { ON | OFF }  
  Makes the certificate available to the initiator of a [!INCLUDE[ssSB](../../includes/sssb-md.md)] dialog conversation.  
@@ -89,14 +101,16 @@ ALTER CERTIFICATE certificate_name
 
  The DECRYPTION BY PASSWORD clause can be omitted if the password in the file is protected with a null password.  
 
- When the private key of a certificate that already exists in the database is imported from a file, the private key will be automatically protected by the database master key. To protect the private key with a password, use the ENCRYPTION BY PASSWORD phrase.  
+ When the private key of a certificate that already exists in the database is imported, the private key will be automatically protected by the database master key. To protect the private key with a password, use the ENCRYPTION BY PASSWORD clause.  
 
- The REMOVE PRIVATE KEY option will delete the private key of the certificate from the database. You can remove the private key when the certificate will be used to verify signatures or in [!INCLUDE[ssSB](../../includes/sssb-md.md)] scenarios that do not require a private key. Do not remove the private key of a certificate that protects a symmetric key.  
+ The REMOVE PRIVATE KEY option will delete the private key of the certificate from the database. You can remove the private key when the certificate will be used to verify signatures or in [!INCLUDE[ssSB](../../includes/sssb-md.md)] scenarios that do not require a private key. Do not remove the private key of a certificate that protects a symmetric key. The private key will need to be restored in order to sign any additional modules or strings that should be verified with the certificate, or to decrypt a value that has been encrypted with the certificate.   
 
  You do not have to specify a decryption password when the private key is encrypted by using the database master key.  
+ 
+ To change the password used for encrypting the private key, do not specify either the FILE or BINARY clauses.
 
 > [!IMPORTANT]  
->  Always make an archival copy of a private key before removing it from a database. For more information, see [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md).  
+>  Always make an archival copy of a private key before removing it from a database. For more information, see [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md) and [CERTPRIVATEKEY &#40;Transact-SQL&#41;](../../t-sql/functions/certprivatekey-transact-sql.md).  
   
  The WITH PRIVATE KEY option is not available in a contained database.  
 
@@ -105,29 +119,28 @@ ALTER CERTIFICATE certificate_name
 
 ## Examples  
 
-### A. Changing the password of a certificate  
+### A. Removing the private key of a certificate  
 
 ```  
 ALTER CERTIFICATE Shipping04   
-    WITH PRIVATE KEY (DECRYPTION BY PASSWORD = 'pGF$5DGvbd2439587y',  
-    ENCRYPTION BY PASSWORD = '4-329578thlkajdshglXCSgf');  
+    REMOVE PRIVATE KEY;  
 GO  
 ```  
 
 ### B. Changing the password that is used to encrypt the private key  
 
 ```  
 ALTER CERTIFICATE Shipping11   
-    WITH PRIVATE KEY (ENCRYPTION BY PASSWORD = '34958tosdgfkh##38',  
-    DECRYPTION BY PASSWORD = '95hkjdskghFDGGG4%');  
+    WITH PRIVATE KEY (DECRYPTION BY PASSWORD = '95hkjdskghFDGGG4%',  
+    ENCRYPTION BY PASSWORD = '34958tosdgfkh##38');  
 GO  
 ```  
 
 ### C. Importing a private key for a certificate that is already present in the database  
 
 ```  
 ALTER CERTIFICATE Shipping13   
-    WITH PRIVATE KEY (FILE = 'c:\\importedkeys\Shipping13',  
+    WITH PRIVATE KEY (FILE = 'c:\importedkeys\Shipping13',  
     DECRYPTION BY PASSWORD = 'GDFLKl8^^GGG4000%');  
 GO  
 ```  
@@ -141,11 +154,15 @@ GO
 ```  
 
 ## See Also  
- [CREATE CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/create-certificate-transact-sql.md)   
- [DROP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/drop-certificate-transact-sql.md)   
- [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md)   
- [Encryption Hierarchy](../../relational-databases/security/encryption/encryption-hierarchy.md)   
+ [CREATE CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/create-certificate-transact-sql.md)  
+ [DROP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/drop-certificate-transact-sql.md)  
+ [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md)  
+ [Encryption Hierarchy](../../relational-databases/security/encryption/encryption-hierarchy.md)  
  [EVENTDATA &#40;Transact-SQL&#41;](../../t-sql/functions/eventdata-transact-sql.md)  
+ [CERTENCODED &#40;Transact-SQL&#41;](../../t-sql/functions/certencoded-transact-sql.md)  
+ [CERTPRIVATEKEY &#40;Transact-SQL&#41;](../../t-sql/functions/certprivatekey-transact-sql.md)  
+ [CERT_ID &#40;Transact-SQL&#41;](../../t-sql/functions/cert-id-transact-sql.md)  
+ [CERTPROPERTY &#40;Transact-SQL&#41;](../../t-sql/functions/certproperty-transact-sql.md)  
 
 
 

docs/t-sql/statements/create-certificate-transact-sql.md

@@ -1,7 +1,7 @@
 ---
 title: "CREATE CERTIFICATE (Transact-SQL) | Microsoft Docs"
 ms.custom: ""
-ms.date: "09/07/2018"
+ms.date: "04/22/2019"
 ms.prod: sql
 ms.prod_service: "database-engine, sql-database, sql-data-warehouse, pdw"
 ms.reviewer: ""
@@ -120,18 +120,19 @@ CREATE CERTIFICATE certificate_name
 > [!IMPORTANT]
 > Azure SQL Database does not support creating a certificate from a file or using private key files.
   
+ BINARY =*asn_encoded_certificate*  
+ ASN encoded certificate bytes specified as a binary constant.  
+ **Applies to**: [!INCLUDE[ssSQL11](../../includes/sssql11-md.md)] through [!INCLUDE[ssCurrent](../../includes/sscurrent-md.md)].  
+  
  WITH PRIVATE KEY  
- Specifies that the private key of the certificate is loaded into [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. This clause is only valid when the certificate is being created from a file. To load the private key of an assembly, use [ALTER CERTIFICATE](../../t-sql/statements/alter-certificate-transact-sql.md).  
+ Specifies that the private key of the certificate is loaded into [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. This clause is invalid when the certificate is being created from an assembly. To load the private key of a certificate created from an assembly, use [ALTER CERTIFICATE](../../t-sql/statements/alter-certificate-transact-sql.md).  
 
  FILE ='*path_to_private_key*'  
  Specifies the complete path, including file name, to the private key. *path_to_private_key* can be a local path or a UNC path to a network location. The file is accessed in the security context of the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] service account. This account must have the necessary file-system permissions.  
 
 > [!IMPORTANT]  
 >  This option is not available in a contained database or in Azure SQL Database.  
   
- asn_encoded_certificate  
- ASN encoded certificate bits specified as a binary constant.  
-  
  BINARY =*private_key_bits*  
  **Applies to**: [!INCLUDE[ssSQL11](../../includes/sssql11-md.md)] through [!INCLUDE[ssCurrent](../../includes/sscurrent-md.md)].  
 
@@ -156,7 +157,7 @@ CREATE CERTIFICATE certificate_name
  Makes the certificate available to the initiator of a [!INCLUDE[ssSB](../../includes/sssb-md.md)] dialog conversation. The default value is ON.  
 
 ## Remarks  
- A certificate is a database-level securable that follows the X.509 standard and supports X.509 V1 fields. CREATE CERTIFICATE can load a certificate from a file or assembly. This statement can also generate a key pair and create a self-signed certificate.  
+ A certificate is a database-level securable that follows the X.509 standard and supports X.509 V1 fields. CREATE CERTIFICATE can load a certificate from a file, a binary constant, or an assembly. This statement can also generate a key pair and create a self-signed certificate.  
 
  The Private Key must be \<= 2500 bytes in encrypted format. Private keys generated by [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] are 1024 bits long through [!INCLUDE[ssSQL14](../../includes/sssql14-md.md)] and are 2048 bits long beginning with [!INCLUDE[ssSQL15](../../includes/sssql15-md.md)]. Private keys imported from an external source have a minimum length of 384 bits and a maximum length of 4,096 bits. The length of an imported private key must be an integer multiple of 64 bits. Certificates used for TDE are limited to a private key size of 3456 bits.  
 
@@ -227,7 +228,10 @@ GO
 ```  
 > [!IMPORTANT]
 > Azure SQL Database does not support creating a certificate from a file.
-   
+
+> [!IMPORTANT]
+> Starting in [!INCLUDE[ssSQL17](../../includes/sssql17-md.md)], the ['CLR strict security'](../../database-engine/configure-windows/clr-strict-security.md) server configuration option prevents loading assemblies without first setting up the security for them. Load the certificate, create a login from it, grant `UNSAFE ASSEMBLY` to that login, and then load the assembly.
+
 ### D. Creating a self-signed certificate  
  The following example creates a certificate called `Shipping04` without specifying an encryption password. This example can be used with [!INCLUDE[ssPDW](../../includes/sspdw-md.md)].
 
@@ -245,6 +249,8 @@ GO
  [EVENTDATA &#40;Transact-SQL&#41;](../../t-sql/functions/eventdata-transact-sql.md)   
  [CERTENCODED &#40;Transact-SQL&#41;](../../t-sql/functions/certencoded-transact-sql.md)   
  [CERTPRIVATEKEY &#40;Transact-SQL&#41;](../../t-sql/functions/certprivatekey-transact-sql.md)  
+ [CERT_ID &#40;Transact-SQL&#41;](../../t-sql/functions/cert-id-transact-sql.md)  
+ [CERTPROPERTY &#40;Transact-SQL&#41;](../../t-sql/functions/certproperty-transact-sql.md)