sqlcmd execute issue in SQL Server 2025

Question

sqlcmd execute issue in SQL Server 2025

Ganesh R 20

EXEC xp_cmdshell 'sqlcmd -S MYS-0101 -d SampleDatabase -U sa -P Sa123 -i "script.sql"' is not working in SQL 2025

its giving trust certificate error, how to fix this certificate error without changing the code I need the microsoft recommendation

whether can we trustservercertificate at SQL Configuration level, without changing the code.

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Erland Sommarskog 132.4K MVP Volunteer Moderator

Short story: You can use the -C option to start working. However, from a security standpoint, this not the best solution. There is a better solution - and which does not require code changes. Read on!

Long story: Microsoft has the last couple of years changed the defaults in their client APIs with regards to encrypted connections, so that now all APIs default to require an encrypted connection.

Why is this important? The reason you want an encrypted connection, is that you don't want anyone to tap the wire to get the data you are sending to SQL Server, you are receiving through SQL Server. This is known as a man-in-the-middle attack.Furthermore, that man in the middle, may offer you a certificate, and if you blindly trust that certificate, you are still open for that attack. And the attacker may not just only tap the wire, it could also distort the data send to and from the server.

By default, SQL Server encrypts the data with a self-signed certificate, and there is no way you can gain real trust in this certificate. Instead, you need to install a real certificate. This can be something you create yourself, and you then distribute to computers that need it, and that they can install in their Trusted Certificate Store. This requires some admin job, but the certificate costs zero money.

The other alternative is to buy a certificate from a trusted vendor like VeriSign, Microsoft etc. For these vendors, a computer normally has their root certificate already installed, and through a chain of certificates, all computers can trust the certificate.

Ganesh R 20 Reputation points

2026-01-29T01:22:41.7433333+00:00
Is it mandatory to use a certificate and connect using the FQDN, or is there another way to run the command without modifying the old code to add -C (trust the server certificate)? Can this be handled at the SQL Server level instead—such as disabling the requirement for ‘Trust Server Certificate’—using any available command?

Here I am not using any linked server or not creating distributor, I need to disable for Sql Server instance itself by making to trust by default.

Trust by default :
EXECUTE sp_changedistributor_property

@property = N'trust_distributor_certificate',

@value = N'yes';
Dan Guzman 9,436 Reputation points

2026-01-29T04:19:29.9866667+00:00

Whether can we trustservercertificate at SQL Configuration level, without changing code

Trusting the server certificate is a client concept, not something that can be enforced by database server configuration. Note the purpose of the distributor trust_distributor_certificate property is for SQL Server to trust remote SQL Server cert when the database engine is acting as a client (connecting to another SQL Server instance).

Without adding the -c argument, you must provision a valid certificate (not self-signed) on the SQL Server issued by a trusted source. In addition to the commercial issuers Erland mentioned, I believe you could use AD Certificate Services for the domain of the SQL machine.
Akhil Gajavelly 1,160 Reputation points Microsoft External Staff Moderator

2026-01-29T09:31:04.5933333+00:00

Hi @Ganesh R

Thanks to both @Erland Sommarskog & @Dan Guzman for the clear and detailed explanations.

This confirms that TrustServerCertificate is a client-side setting and cannot be enforced at the SQL Server instance level. The trust_distributor_certificate option applies only when SQL Server acts as a client (replication/linked servers) and does not affect sqlcmd execution via xp_cmdshell.

Without modifying the existing code to add -C, the Microsoft-recommended and supported approach is to configure SQL Server with a proper trusted certificate (CA-issued or AD CS) and connect using the FQDN.

Once confirmed, kindly mark the answer as Accepted so it’s easier for others facing the same problem to find the solution.

Thanks,
Akhil.
Ganesh R 20 Reputation points

2026-01-29T15:51:17.06+00:00

Thanks Erland Sommarskog
If the SQL Server 2025 and the application are in same server then the -C option is safer to use? or not?
Erland Sommarskog 132.4K Reputation points MVP Volunteer Moderator

2026-01-29T21:45:04.5433333+00:00

I don't know how this trust_distributor_certificate came into the picture, but maybe it was from the AI answer, which I deleted, as there were several errors in it, including the mention of trust_distributor_certificate.

If you don't want to change any code, there is actually an alternative: Use an older version of SQLCMD which defaults to a non-encrypted connection. But if you are running SQLCMD on the same machine as SQL Server, I strongly recommend from messing things up.

If the SQL Server 2025 and the application are in same server then the -C option is safer to use? or not?

Yeah, this case, the risks for a man-in-the-middle attack are minimal, so using the -C option (or -No to make encryption option) is not a security risk.

Answer 2

Ganesh R 20

Thanks everyone for the inputs, can please share an article where this breaking changing in SQL 2025 which requires clients to send the servertrustcertificate option explicity, if they are not using any FQDN or certificate.

Share via

sqlcmd execute issue in SQL Server 2025

1 additional answer

Your answer