Creating the certificate

Certificate‑based login securely authorizes Protegrity assemblies in SQL Server by using a certificate created from the Protegrity‑signed dll. The certificate is mapped to a login with the UNSAFE ASSEMBLY permission. This permission enables the trusted execution of assemblies and UDFs without enabling the database‑wide TRUSTWORTHY setting.

To create a certificate-based login:

To create a database certificate using a signed dll. execute the following query.

CREATE CERTIFICATE MSSQL_90009_cert
FROM EXECUTABLE FILE = 'C:\Program Files\Protegrity\Database Protector\sqlserver\DNPepConnector.dll'
GO

To create a certificate‑based login and grant the UNSAFE ASSEMBLY permissions, execute the following query.
```
CREATE LOGIN John
FROM CERTIFICATE MSSQL_90009_cert
GO

GRANT UNSAFE ASSEMBLY TO <John>;
GO
```
To verify the certificate, navigate to System Database > Security > Certificates.
Select the appropriate database type to install the UDFs.

To create an assembly:

Verify whether any assembly exists.
If the assembly exists, then drop the existing assembly.
Open the createassembly.sql script.
Set the value of the TRUSTWORTHY parameter to OFF.
Save the changes to the createassembly.sql script.
Execute the createassembly.sql script.

A sample script is given below.

USE [master]
GO

sp_configure 'clr enable',1
RECONFIGURE
GO

alter database [master] set trustworthy OFF
GO

if exists(SELECT name FROM sys.assemblies WHERE name = 'DNPepConnector')
DROP ASSEMBLY [DNPepConnector]
GO

CREATE ASSEMBLY [DNPepConnector]
AUTHORIZATION [dbo]
FROM 'C:\Program Files\Protegrity\Database Protector\sqlserver\DNPepConnector.dll'
WITH PERMISSION_SET = UNSAFE
GO

To verify the user, navigate to the C:\Program Files\Protegrity\Database Protector\sqlserver.
To install the database objects, execute the CreateObjects.sql script.
Execute the protect/unprotect operations.

Feedback

Was this page helpful?

Last modified : May 21, 2026