Get-DbaNetworkEncryption - Fix empty certificate properties by using SslStream.RemoteCertificate

github-actions[bot] · andreasjordan · github-actions[bot] · commit 60035561b9cc · 2026-03-18T08:08:31.000Z
Replace callback-based certificate capture ($script:capturedCertificate) with
$sslStream.RemoteCertificate. Scriptblock callbacks invoked by .NET do not
reliably write back to PowerShell session variables, so the captured variable
stayed null and New-Object X509Certificate2($null) produced an empty object.
Reading RemoteCertificate directly after AuthenticateAsClient is the correct
approach.

(do Get-DbaNetworkEncryption)

Co-authored-by: Andreas Jordan &lt;andreasjordan@users.noreply.github.com&gt;
diff --git a/public/Get-DbaNetworkEncryption.ps1 b/public/Get-DbaNetworkEncryption.ps1
@@ -329,12 +329,11 @@ namespace DbaTools {
                 # TdsWrappingStream adds/strips that framing so SslStream negotiates correctly.
                 $tdsStream = New-Object DbaTools.TdsWrappingStream($networkStream, [byte]0x12)
 
-                # The server certificate is captured via the validation callback
-                $script:capturedCertificate = $null
-
-                $certValidationCallback = {
+                # Use a validation callback that always accepts the certificate so we can
+                # complete the handshake regardless of chain/policy errors, then read
+                # RemoteCertificate from the stream after authentication.
+                $certValidationCallback = [System.Net.Security.RemoteCertificateValidationCallback] {
                     param($sender, $certificate, $chain, $sslPolicyErrors)
-                    $script:capturedCertificate = $certificate
                     return $true
                 }
 
@@ -346,7 +345,9 @@ namespace DbaTools {
 
                 $sslStream.AuthenticateAsClient($TargetHost)
 
-                return $script:capturedCertificate
+                # RemoteCertificate is the reliable way to retrieve the server certificate
+                # after a successful TLS handshake.
+                return $sslStream.RemoteCertificate
             } catch {
                 throw
             } finally {
