tessl/pypi-azure-keyvault-certificates
Microsoft Corporation Key Vault Certificates Client Library for Python
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-azure-keyvault-certificates@4.10.0index.mddocs/
Azure Key Vault Certificates
A comprehensive Python client library for Azure Key Vault certificate management operations, enabling developers to securely create, store, manage, and deploy SSL/TLS certificates through Azure's cloud-based key management service. It offers both synchronous and asynchronous APIs for certificate lifecycle operations with extensive error handling and detailed logging capabilities.
Package Information
- Package Name: azure-keyvault-certificates
- Language: Python
- Installation:
pip install azure-keyvault-certificates azure-identity
Core Imports
from azure.keyvault.certificates import CertificateClient
from azure.identity import DefaultAzureCredentialCommon models and enums:
from azure.keyvault.certificates import (
CertificatePolicy,
KeyVaultCertificate,
CertificateProperties,
CertificateContentType,
KeyType,
WellKnownIssuerNames
)For async operations:
from azure.keyvault.certificates.aio import CertificateClientBasic Usage
import os
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy
# Create client
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = CertificateClient(vault_url=VAULT_URL, credential=credential)
# Create a certificate
create_poller = client.begin_create_certificate(
certificate_name="my-certificate",
policy=CertificatePolicy.get_default()
)
certificate = create_poller.result()
# Get a certificate
certificate = client.get_certificate("my-certificate")
print(f"Certificate: {certificate.name}")
print(f"Version: {certificate.properties.version}")
# List all certificates
for cert_props in client.list_properties_of_certificates():
print(f"Certificate: {cert_props.name}")
# Update certificate properties
updated_cert = client.update_certificate_properties(
certificate_name="my-certificate",
enabled=False,
tags={"environment": "test"}
)
# Delete certificate
delete_poller = client.begin_delete_certificate("my-certificate")
deleted_cert = delete_poller.result()Architecture
The library follows Azure SDK design patterns with clear separation of concerns:
- CertificateClient: Primary interface for all certificate operations (sync and async versions)
- Models: Strongly-typed data structures for certificates, policies, issuers, and operations
- Enums: Type-safe constants for key types, content types, policy actions, and well-known issuers
- Long-Running Operations: Polling support for certificate creation, deletion, and recovery
- Paging: Efficient iteration over certificate collections with ItemPaged/AsyncItemPaged
The client integrates seamlessly with Azure identity services through DefaultAzureCredential for authentication, supports advanced certificate chain preservation, implements proper async context management patterns, and provides comprehensive error handling for production environments.
Capabilities
Certificate Lifecycle Management
Core certificate operations including creation, retrieval, updating, deletion, and recovery. Supports both self-signed certificates and external issuer integration with comprehensive policy management.
def begin_create_certificate(
certificate_name: str,
policy: CertificatePolicy,
*,
enabled: Optional[bool] = None,
tags: Optional[Dict[str, str]] = None,
preserve_order: Optional[bool] = None
) -> LROPoller[Union[KeyVaultCertificate, CertificateOperation]]: ...
def get_certificate(certificate_name: str) -> KeyVaultCertificate: ...
def update_certificate_properties(
certificate_name: str,
version: Optional[str] = None,
*,
enabled: Optional[bool] = None,
tags: Optional[Dict[str, str]] = None
) -> KeyVaultCertificate: ...
def begin_delete_certificate(certificate_name: str) -> LROPoller[DeletedCertificate]: ...Certificate Import and Export
Import existing certificates from various formats and export certificates for external use. Supports PKCS#12 and PEM formats with backup and restore capabilities.
def import_certificate(
certificate_name: str,
certificate_bytes: bytes,
*,
policy: Optional[CertificatePolicy] = None,
enabled: Optional[bool] = None,
tags: Optional[Dict[str, str]] = None,
preserve_order: Optional[bool] = None
) -> KeyVaultCertificate: ...
def backup_certificate(certificate_name: str) -> bytes: ...
def restore_certificate_backup(backup: bytes) -> KeyVaultCertificate: ...Certificate Policy Management
Comprehensive policy configuration for certificate properties, key specifications, lifetime actions, and issuer settings. Supports custom policies and default policy templates.
def get_certificate_policy(certificate_name: str) -> CertificatePolicy: ...
def update_certificate_policy(
certificate_name: str,
policy: CertificatePolicy
) -> CertificatePolicy: ...Certificate Issuer Management
Manage certificate authorities and issuers for automated certificate provisioning. Configure issuer credentials, organizational information, and administrator contacts.
def create_issuer(
issuer_name: str,
provider: str,
*,
enabled: Optional[bool] = None,
account_id: Optional[str] = None,
password: Optional[str] = None,
organization_id: Optional[str] = None,
admin_contacts: Optional[List[AdministratorContact]] = None
) -> CertificateIssuer: ...
def get_issuer(issuer_name: str) -> CertificateIssuer: ...
def update_issuer(issuer_name: str, **kwargs) -> CertificateIssuer: ...
def delete_issuer(issuer_name: str) -> CertificateIssuer: ...Certificate Listing and Discovery
Efficiently browse and discover certificates with filtering, paging, and version management. List active certificates, deleted certificates, and certificate versions.
def list_properties_of_certificates(
*,
include_pending: Optional[bool] = None,
max_page_size: Optional[int] = None
) -> ItemPaged[CertificateProperties]: ...
def list_deleted_certificates(
*, max_page_size: Optional[int] = None
) -> ItemPaged[DeletedCertificate]: ...
def list_properties_of_certificate_versions(
certificate_name: str,
*, max_page_size: Optional[int] = None
) -> ItemPaged[CertificateProperties]: ...Deleted Certificate Recovery
Manage soft-deleted certificates with recovery and purge operations. Supports Azure Key Vault's soft-delete feature for accidental deletion protection.
def get_deleted_certificate(certificate_name: str) -> DeletedCertificate: ...
def begin_recover_deleted_certificate(
certificate_name: str
) -> LROPoller[KeyVaultCertificate]: ...
def purge_deleted_certificate(certificate_name: str) -> None: ...Certificate Contact Management
Manage certificate contacts for notifications and administrative purposes. Configure email contacts for certificate lifecycle events and expiration warnings.
def set_contacts(contacts: List[CertificateContact]) -> List[CertificateContact]: ...
def get_contacts() -> List[CertificateContact]: ...
def delete_contacts() -> List[CertificateContact]: ...Certificate Operation Management
Monitor and manage long-running certificate operations including creation status, cancellation, and manual certificate merging for external issuers.
def get_certificate_operation(certificate_name: str) -> CertificateOperation: ...
def cancel_certificate_operation(certificate_name: str) -> CertificateOperation: ...
def delete_certificate_operation(certificate_name: str) -> CertificateOperation: ...
def merge_certificate(
certificate_name: str,
x509_certificates: List[bytes],
*,
enabled: Optional[bool] = None,
tags: Optional[Dict[str, str]] = None
) -> KeyVaultCertificate: ...Async Operations
Asynchronous versions of all certificate operations for high-performance applications. Includes async context managers and direct async results for long-running operations.
async def create_certificate(
certificate_name: str,
policy: CertificatePolicy,
**kwargs
) -> Union[KeyVaultCertificate, CertificateOperation]: ...
async def get_certificate(certificate_name: str) -> KeyVaultCertificate: ...Types
Core Certificate Types
class KeyVaultCertificate:
"""Represents a certificate stored in Azure Key Vault."""
id: str
name: str
properties: CertificateProperties
policy: CertificatePolicy
cer: bytes
key_id: str
secret_id: str
class CertificateProperties:
"""Certificate metadata and properties."""
id: str
name: str
version: str
enabled: bool
not_before: datetime
expires_on: datetime
created_on: datetime
updated_on: datetime
recovery_level: str
vault_url: str
tags: Dict[str, str]
x509_thumbprint: bytes
class DeletedCertificate(KeyVaultCertificate):
"""A deleted certificate with recovery information."""
deleted_on: datetime
recovery_id: str
scheduled_purge_date: datetimeCertificate Policy Types
class CertificatePolicy:
"""Certificate management policy."""
issuer_name: str
subject: str
san_emails: List[str]
san_dns_names: List[str]
san_upns: List[str]
exportable: bool
key_type: KeyType
key_size: int
reuse_key: bool
key_curve_name: KeyCurveName
enhanced_key_usage: List[str]
key_usage: List[KeyUsageType]
content_type: CertificateContentType
validity_in_months: int
lifetime_actions: List[LifetimeAction]
certificate_type: str
certificate_transparency: bool
@classmethod
def get_default() -> CertificatePolicy: ...
class LifetimeAction:
"""Automated action for certificate lifecycle."""
action: CertificatePolicyAction
days_before_expiry: int
percentage_before_expiry: intCertificate Operation Types
class CertificateOperation:
"""Long-running certificate operation."""
certificate_type: str
certificate_transparency: bool
csr: bytes
cancellation_requested: bool
status: str
status_details: str
error: CertificateOperationError
target: str
request_id: str
id: str
issuer_name: str
class CertificateOperationError:
"""Certificate operation error details."""
code: str
message: str
inner_error: CertificateOperationErrorIssuer Types
class CertificateIssuer:
"""Certificate issuer configuration."""
provider: str
account_id: str
admin_contacts: List[AdministratorContact]
enabled: bool
created_on: datetime
updated_on: datetime
id: str
name: str
class IssuerProperties:
"""Certificate issuer basic properties."""
id: str
name: str
provider: str
class AdministratorContact:
"""Issuer administrator contact."""
first_name: str
last_name: str
email: str
phone: strContact Types
class CertificateContact:
"""Certificate contact information."""
email: str
name: str
phone: strIdentifier Types
class KeyVaultCertificateIdentifier:
"""Certificate identifier parser."""
source_id: str
vault_url: str
name: str
version: str
@classmethod
def from_certificate_id(cls, certificate_id: str) -> KeyVaultCertificateIdentifier: ...Enum Types
class ApiVersion(str, Enum):
"""Supported API versions."""
V7_6 = "7.6" # Default
V7_5 = "7.5"
V7_4 = "7.4"
V7_3 = "7.3"
V7_2 = "7.2"
V7_1 = "7.1"
V7_0 = "7.0"
V2016_10_01 = "2016-10-01"
class KeyType(str, Enum):
"""Supported key types."""
ec = "EC"
ec_hsm = "EC-HSM"
rsa = "RSA"
rsa_hsm = "RSA-HSM"
oct = "oct"
oct_hsm = "oct-HSM"
class KeyCurveName(str, Enum):
"""Elliptic curve names."""
p_256 = "P-256"
p_384 = "P-384"
p_521 = "P-521"
p_256_k = "P-256K"
class CertificateContentType(str, Enum):
"""Certificate content formats."""
pkcs12 = "application/x-pkcs12"
pem = "application/x-pem-file"
class KeyUsageType(str, Enum):
"""Key usage types."""
digital_signature = "digitalSignature"
non_repudiation = "nonRepudiation"
key_encipherment = "keyEncipherment"
data_encipherment = "dataEncipherment"
key_agreement = "keyAgreement"
key_cert_sign = "keyCertSign"
crl_sign = "cRLSign"
encipher_only = "encipherOnly"
decipher_only = "decipherOnly"
class CertificatePolicyAction(str, Enum):
"""Certificate policy actions."""
email_contacts = "EmailContacts"
auto_renew = "AutoRenew"
class WellKnownIssuerNames(str, Enum):
"""Well-known certificate issuers."""
self = "Self"
unknown = "Unknown"