Fix missing / misleading statements, and formatting in CREATE and ALTER CERTIFICATE #1972
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Fixed description of "WITH PRIVATE KEY" to account for "BINARY =" option introduced in SQL Server 2012.
2. Fixed specification of BINARY for certificate (public key):
1. added "BINARY ="
2. moved above private key options to be properly grouped with public key options
3. added "Applies to"
3. Updated remarks to indicate that certificates can also be loaded from a binary constant (as of SQL Server 2012).
4. Added note about "CLR strict security" server config option at the bottom of "Example C" (as of SQL Server 2017).
5. Added links to CERT_ID and CERTPROPERTY functions in "See Also" section.
For details / testing, please see: https://sqlquantumleap.com/2019/04/22/can-a-certificates-private-key-be-imported-restored-from-a-binary-literal-hex-bytes/
For the note after Example C regarding 'CLR strict security': 1. Fixed link to 'CLR strict security' documentation page 2. Improved wording.
1. Fixed main description as it was both incomplete and misleading. 2. Fixed syntax 3. Fixed formatting in "Arguments" section to be consistent with formatting found in CREATE CERTIFICATE page (and I have been told to specifically _not_ escape underscores unless they are causing formatting issues). 4. Changed "password" in `DECRYPTION BY PASSWORD` and `ENCRYPTION BY PASSWORD` clauses to be "current_password" and "new_password", respectively, to hopefully be more intuitive to those who are less experienced with certificates. 5. Removed "from a file" wording in "Remarks" section since the private key can be imported from multiple sources 6. Changed "Example A" to be "Removing a private key". Previously it was "Changing the password of a certificate", which is identical to "Example B", except the title is slightly different and the order of the `ENCRYPTION BY PASSWORD` and `DECRYPTION BY PASSWORD` clauses is different. No need for redundant examples. 7. Reversed the order of the `ENCRYPTION BY PASSWORD` and `DECRYPTION BY PASSWORD` clauses in "Example B" because it is probably more intuitive to have decryption first since that is actually what happens first. 8. Fixed typo in "Example C": removed extraneous backslash in file path. 9. Added links to CERTENCODED, CERTPRIVATEKEY, CERT_ID, and CERTPROPERTY functions in "See Also" section. For details / testing, please see: https://sqlquantumleap.com/2019/04/22/can-a-certificates-private-key-be-imported-restored-from-a-binary-literal-hex-bytes/
Contributor
Changed syntax
Contributor
Contributor
Member
|
Hi @srutzky! Thanks for the detailed update. We really appreciate your testing and knowledge on this. I went through details, and everything looks applicable. Besides a slight change to syntax, I'll go ahead and approve. Thanks again! #sign-off |
srutzky
added a commit
to srutzky/sql-docs
that referenced
this pull request
Apr 23, 2019
1. Updated "Arguments" section to conform to most other pages:
1. Added "certname" argument.
2. Added argument name to each option.
3. Added "WITH PRIVATE KEY" argument as it mirrors `CREATE CERTIFICATE`.
4. Corrected default path description (tested in SQL Server 2017 CU14 and 2019 CTP 2.4).
5. Added LocalDB info to path description (tested in SQL Server Express LocalDB 2012 SP4).
2. Updated "Remarks" section:
1. Passwords are to protect private keys, not certificates.
2. Added info about private key file format.
3. Clarified that restoring a certificate does not require the private key.
4. Added info about restoring a private key to an existing certificate via `ALTER CERTIFICATE`.
3. Added links to CERTENCODED, CERTPRIVATEKEY, CERT_ID, and CERTPROPERTY functions in "See Also" section.
These updates are related to updates proposed for `CREATE CERTIFICATE` and `ALTER CERTIFICATE` via MicrosoftDocs#1972 , and to the following post: https://sqlquantumleap.com/2019/04/22/can-a-certificates-private-key-be-imported-restored-from-a-binary-literal-hex-bytes/
Contributor
Author
|
Cool. Good catch on the syntax change. And you are quite welcome 😺 There are one or two minor additions I just thought of for ALTER CERTIFICATE, partially related to the PR I just submitted for |
Member
|
#hold-off @srutzky - Go ahead and add to this PR if needed. |
1. Moved the "REMOVE PRIVATE KEY" clause to the top to be in the same order as shown in the syntax (that is how most other pages are done) 2. Added clarification regarding what private keys are used for in "Remarks", in the paragraph about removing the private key. 3. Added note to explicitly state how to accomplish changing the password rather than importing, else it was only mentioned in the description and shown in an example. 4. Added `CERTPRIVATEKEY` link to "Important" note regarding backing up the private key before removing it (this became an option in SQL Server 2012).
Contributor
Contributor
Author
|
Additional changes consist of:
|
Contributor
Contributor
Author
|
Final edit:
|
Contributor
Author
|
@VanMSFT all done now...thanks.. |
Contributor
|
@VanMSFT - if you approve, can you |
Member
|
Reviewed. Thanks @srutzky! |
Contributor
Author
|
Yer welcome. |
Contributor
|
@GitHubber17 : Thanks for your contribution! The author, @VanMSFT, has been notified to review your proposed change. |
Contributor
|
@GitHubber17 : Thanks for your contribution! The author, @VanMSFT, has been notified to review your proposed change. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CREATE CERTIFICATE
Fixed description of "WITH PRIVATE KEY" to account for "BINARY =" option introduced in SQL Server 2012.
Fixed specification of BINARY for certificate (public key):
Updated remarks to indicate that certificates can also be loaded from a binary constant (as of SQL Server 2012).
Added note about "CLR strict security" server config option at the bottom of "Example C" (as of SQL Server 2017).
Added links to CERT_ID and CERTPROPERTY functions in "See Also" section.
ALTER CERTIFICATE
Fixed main description as it was both incomplete and misleading.
Fixed syntax
Fixed formatting in "Arguments" section to be consistent with formatting found in CREATE CERTIFICATE page (and I have been told to specifically not escape underscores unless they are causing formatting issues).
Changed "password" in
DECRYPTION BY PASSWORDandENCRYPTION BY PASSWORDclauses to be "current_password" and "new_password", respectively, to hopefully be more intuitive to those who are less experienced with certificates.Removed "from a file" wording in "Remarks" section since the private key can be imported from multiple sources
Changed "Example A" to be "Removing a private key". Previously it was "Changing the password of a certificate", which is identical to "Example B", except the title is slightly different and the order of the
ENCRYPTION BY PASSWORDandDECRYPTION BY PASSWORDclauses is different. No need for redundant examples.Reversed the order of the
ENCRYPTION BY PASSWORDandDECRYPTION BY PASSWORDclauses in "Example B" because it is probably more intuitive to have decryption first since that is actually what happens first.Fixed typo in "Example C": removed extraneous backslash in file path.
Added links to CERTENCODED, CERTPRIVATEKEY, CERT_ID, and CERTPROPERTY functions in "See Also" section.
Both
For details / testing, please see: https://sqlquantumleap.com/2019/04/22/can-a-certificates-private-key-be-imported-restored-from-a-binary-literal-hex-bytes/