tessl/pypi-azure-keyvault-certificates
Microsoft Corporation Key Vault Certificates Client Library for Python
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
import-export.mddocs/
Import and Export
Certificate import and export operations for working with external certificates, backing up certificates, and restoring from backups. Supports PKCS#12 and PEM formats with comprehensive metadata preservation.
Capabilities
Certificate Import
Import existing certificates from various formats into Azure Key Vault. Supports certificates with private keys in PKCS#12 format and certificate-only imports in PEM format.
def import_certificate(
certificate_name: str,
certificate_bytes: bytes,
*,
enabled: Optional[bool] = None,
tags: Optional[Dict[str, str]] = None,
password: Optional[str] = None,
policy: Optional[CertificatePolicy] = None,
preserve_order: Optional[bool] = None,
**kwargs: Any
) -> KeyVaultCertificate:
"""
Import a certificate into the vault.
Parameters:
- certificate_name: Name for the imported certificate
- certificate_bytes: Certificate data in PKCS#12 or PEM format
- enabled: Whether the certificate should be enabled
- tags: Metadata tags for the certificate
- password: Password for PKCS#12 certificates (if encrypted)
- policy: Certificate policy (uses default if not specified)
- preserve_order: Whether to preserve certificate chain order
Returns:
KeyVaultCertificate: The imported certificate
Raises:
ValueError: If certificate data is invalid
HttpResponseError: For service-side errors
"""Usage examples:
# Import PKCS#12 certificate with private key
with open("certificate.p12", "rb") as cert_file:
cert_bytes = cert_file.read()
imported_cert = client.import_certificate(
certificate_name="imported-cert",
certificate_bytes=cert_bytes,
password="certificate-password", # Password for encrypted PKCS#12
enabled=True,
tags={"source": "external", "type": "ssl"}
)
print(f"Imported certificate: {imported_cert.name}")
# Import PEM certificate without private key
with open("certificate.pem", "rb") as cert_file:
pem_bytes = cert_file.read()
imported_cert = client.import_certificate(
certificate_name="pem-cert",
certificate_bytes=pem_bytes,
policy=CertificatePolicy.get_default()
)
# Import with custom policy
from azure.keyvault.certificates import CertificatePolicy, KeyType
custom_policy = CertificatePolicy.get_default()
custom_policy.key_type = KeyType.rsa
custom_policy.key_size = 4096
imported_cert = client.import_certificate(
certificate_name="secure-cert",
certificate_bytes=cert_bytes,
policy=custom_policy,
tags={"security_level": "high"}
)Certificate Backup
Create a backup of a certificate that includes all versions and can be restored to any Azure Key Vault. The backup is encrypted and can only be restored within the same geographic region (Azure geolocation).
def backup_certificate(certificate_name: str, **kwargs: Any) -> bytes:
"""
Backup a certificate from the vault.
Parameters:
- certificate_name: Name of the certificate to backup
Returns:
bytes: Encrypted backup data containing all certificate versions
Raises:
ResourceNotFoundError: If the certificate doesn't exist
HttpResponseError: For service-side errors
"""Usage examples:
# Create backup
backup_data = client.backup_certificate("my-cert")
print(f"Backup size: {len(backup_data)} bytes")
# Save backup to file
with open("certificate_backup.blob", "wb") as backup_file:
backup_file.write(backup_data)
# Multiple certificate backup
certificates_to_backup = ["cert1", "cert2", "cert3"]
backups = {}
for cert_name in certificates_to_backup:
try:
backup_data = client.backup_certificate(cert_name)
backups[cert_name] = backup_data
print(f"Backed up {cert_name}: {len(backup_data)} bytes")
except Exception as e:
print(f"Failed to backup {cert_name}: {e}")
# Save all backups
import json
backup_manifest = {
"timestamp": datetime.now().isoformat(),
"certificates": list(backups.keys()),
"count": len(backups)
}
with open("backup_manifest.json", "w") as manifest_file:
json.dump(backup_manifest, manifest_file, indent=2)Certificate Restore
Restore a certificate from a backup. The certificate name from the backup will be used, and all versions will be restored.
def restore_certificate_backup(backup: bytes, **kwargs: Any) -> KeyVaultCertificate:
"""
Restore a certificate from backup data.
Parameters:
- backup: Encrypted backup data from backup_certificate
Returns:
KeyVaultCertificate: The restored certificate (latest version)
Raises:
ValueError: If backup data is invalid or corrupted
ConflictError: If a certificate with the same name already exists
HttpResponseError: For service-side errors
"""Usage examples:
# Restore from backup data
with open("certificate_backup.blob", "rb") as backup_file:
backup_data = backup_file.read()
restored_cert = client.restore_certificate_backup(backup_data)
print(f"Restored certificate: {restored_cert.name}")
print(f"Version: {restored_cert.properties.version}")
# Restore multiple certificates
import os
import json
# Load backup manifest
with open("backup_manifest.json", "r") as manifest_file:
manifest = json.load(manifest_file)
restored_certificates = []
for cert_name in manifest["certificates"]:
backup_file_path = f"{cert_name}_backup.blob"
if os.path.exists(backup_file_path):
try:
with open(backup_file_path, "rb") as backup_file:
backup_data = backup_file.read()
restored_cert = client.restore_certificate_backup(backup_data)
restored_certificates.append(restored_cert.name)
print(f"Restored: {restored_cert.name}")
except Exception as e:
print(f"Failed to restore {cert_name}: {e}")
print(f"Successfully restored {len(restored_certificates)} certificates")Certificate Format Handling
Working with different certificate formats and extracting information.
# Extract certificate information
certificate = client.get_certificate("my-cert")
# Get the certificate in DER format (binary)
der_cert = certificate.cer
print(f"DER certificate size: {len(der_cert)} bytes")
# Convert to PEM format for display/export
import base64
pem_cert = (
"-----BEGIN CERTIFICATE-----\n" +
base64.b64encode(der_cert).decode('ascii') +
"\n-----END CERTIFICATE-----"
)
print("PEM format:")
print(pem_cert)
# Extract certificate details using cryptography library (if available)
try:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
cert_obj = x509.load_der_x509_certificate(der_cert, default_backend())
print(f"Subject: {cert_obj.subject.rfc4514_string()}")
print(f"Issuer: {cert_obj.issuer.rfc4514_string()}")
print(f"Serial: {cert_obj.serial_number}")
print(f"Not valid before: {cert_obj.not_valid_before}")
print(f"Not valid after: {cert_obj.not_valid_after}")
except ImportError:
print("cryptography library not available for certificate parsing")Bulk Import Operations
Efficiently import multiple certificates from a directory or collection.
import os
from pathlib import Path
def import_certificates_from_directory(client, directory_path, file_extension=".p12"):
"""Import all certificates from a directory."""
imported_count = 0
failed_imports = []
directory = Path(directory_path)
for cert_file in directory.glob(f"*{file_extension}"):
try:
with open(cert_file, "rb") as f:
cert_bytes = f.read()
# Use filename (without extension) as certificate name
cert_name = cert_file.stem
imported_cert = client.import_certificate(
certificate_name=cert_name,
certificate_bytes=cert_bytes,
enabled=True,
tags={
"source": "bulk_import",
"original_file": cert_file.name
}
)
print(f"Imported: {imported_cert.name}")
imported_count += 1
except Exception as e:
failed_imports.append((cert_file.name, str(e)))
print(f"Failed to import {cert_file.name}: {e}")
print(f"\nImport summary:")
print(f"Successfully imported: {imported_count}")
print(f"Failed imports: {len(failed_imports)}")
return imported_count, failed_imports
# Usage
imported, failed = import_certificates_from_directory(
client,
"/path/to/certificates",
".p12"
)Error Handling
Common error scenarios when importing and exporting certificates:
from azure.core.exceptions import ResourceNotFoundError, ConflictError, HttpResponseError
# Import error handling
try:
with open("certificate.p12", "rb") as f:
cert_bytes = f.read()
imported_cert = client.import_certificate(
certificate_name="my-cert",
certificate_bytes=cert_bytes
)
except ValueError as e:
print(f"Invalid certificate data: {e}")
except ConflictError:
print("Certificate with this name already exists")
except HttpResponseError as e:
print(f"Service error: {e.status_code} - {e.message}")
except FileNotFoundError:
print("Certificate file not found")
# Backup error handling
try:
backup_data = client.backup_certificate("non-existent-cert")
except ResourceNotFoundError:
print("Certificate not found for backup")
except HttpResponseError as e:
if e.status_code == 403:
print("Insufficient permissions for backup operation")
else:
print(f"Backup failed: {e.message}")
# Restore error handling
try:
with open("corrupted_backup.blob", "rb") as f:
backup_data = f.read()
restored_cert = client.restore_certificate_backup(backup_data)
except ValueError:
print("Invalid or corrupted backup data")
except ConflictError:
print("Cannot restore - certificate with same name exists")
except HttpResponseError as e:
if e.status_code == 400:
print("Backup data is invalid or from different region")
else:
print(f"Restore failed: {e.message}")Best Practices
Backup and Restore Strategy
import datetime
import json
from pathlib import Path
class CertificateBackupManager:
"""Manages certificate backups with metadata and validation."""
def __init__(self, client, backup_directory="./cert_backups"):
self.client = client
self.backup_dir = Path(backup_directory)
self.backup_dir.mkdir(exist_ok=True)
def backup_all_certificates(self):
"""Backup all certificates in the vault."""
timestamp = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
backup_session_dir = self.backup_dir / f"backup_{timestamp}"
backup_session_dir.mkdir()
successful_backups = []
failed_backups = []
# Get all certificates
for cert_props in self.client.list_properties_of_certificates():
cert_name = cert_props.name
try:
# Create backup
backup_data = self.client.backup_certificate(cert_name)
# Save backup file
backup_file = backup_session_dir / f"{cert_name}.backup"
with open(backup_file, "wb") as f:
f.write(backup_data)
successful_backups.append({
"name": cert_name,
"file": str(backup_file),
"size": len(backup_data),
"expires_on": cert_props.expires_on.isoformat() if cert_props.expires_on else None
})
except Exception as e:
failed_backups.append({
"name": cert_name,
"error": str(e)
})
# Create manifest
manifest = {
"backup_timestamp": timestamp,
"vault_url": str(self.client.vault_url),
"successful_backups": successful_backups,
"failed_backups": failed_backups,
"total_certificates": len(successful_backups) + len(failed_backups)
}
manifest_file = backup_session_dir / "manifest.json"
with open(manifest_file, "w") as f:
json.dump(manifest, f, indent=2)
print(f"Backup completed: {len(successful_backups)} successful, {len(failed_backups)} failed")
return manifest
# Usage
backup_manager = CertificateBackupManager(client)
backup_manifest = backup_manager.backup_all_certificates()Install with Tessl CLI
npx tessl i tessl/pypi-azure-keyvault-certificates