Skip to content

Implement -J flag for server certificate pinning with strict encryption #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Implement -J flag for server certificate pinning with strict encryption #615

Copilot wants to merge 3 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 8, 2026
edited
Loading

Adds the -J flag to specify a server certificate file (PEM, DER, or CER) for certificate pinning when using strict encryption mode. The certificate is matched exactly against the server's TLS certificate, bypassing standard validation (expiry, hostname, trust chain).

Changes

  • SQLCmdArguments & ConnectSettings: Added ServerCertificate string field to store certificate path
  • Flag registration: Added -J/--server-certificate flag with help text
  • Connection string: Pass certificate path via msdsn.Certificate parameter to go-mssqldb driver
  • Validation: Enforce -J requires strict encryption (-N s or -N strict)
  • Tests: Coverage for valid combinations and invalid usage with non-strict modes

Usage

# Valid: certificate pinning with strict encryption
sqlcmd -S myserver -N s -J /path/to/server.pem

# Invalid: certificate requires strict mode
sqlcmd -S myserver -J /path/to/server.pem
# Error: The -J parameter can only be used with strict encryption mode (-N s or -N strict).

The implementation follows the existing pattern for connection flags like -F (HostNameInCertificate).

Original prompt

This section details on the original issue you should resolve

<issue_title>Implement -J flag to allow a specific server certificate be used to encrypt the connection</issue_title>
<issue_description>-J takes a server certificate. This option can be used with the strict encryption mode (-Ys). This option specifies the path to a certificate file to match against the server's connection encryption certificate. The match is done instead of standard certificate validation (expiry, host name, trust chain, etc.) The accepted certificate formats are PEM, DER, and CER. If specified, the server's certificate is checked by seeing if the server certificate provided is an exact match.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits January 8, 2026 22:22
@shueybubbles
Implement -J flag for server certificate pinning with strict encryption
a618537 
Co-authored-by: shueybubbles <2224906+shueybubbles@users.noreply.github.com>
@shueybubbles
Fix error messages to use correct flag syntax (-N s instead of -Ys)
15ea586 
Co-authored-by: shueybubbles <2224906+shueybubbles@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement -J flag to specify server certificate for encryption Implement -J flag for server certificate pinning with strict encryption Jan 8, 2026
Copilot AI requested a review from shueybubbles January 8, 2026 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shueybubbles shueybubbles Awaiting requested review from shueybubbles

At least 1 approving review is required to merge this pull request.

Assignees

@shueybubbles shueybubbles

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement -J flag to allow a specific server certificate be used to encrypt the connection

2 participants

@shueybubbles