0
# Certificate Management
1
2
Complete X.509 certificate lifecycle management in Azure Key Vault. Supports certificate creation, import, renewal, policy management, and integration with certificate authorities. Provides automated certificate lifecycle management, issuer management, and contact administration.
3
4
## Capabilities
5
6
### Certificate Client
7
8
Main client for certificate management operations with synchronous and asynchronous support.
9
10
```python { .api }
11
class CertificateClient:
12
def __init__(self, vault_url: str, credential, **kwargs):
13
"""
14
Initialize CertificateClient for certificate management operations.
15
16
Parameters:
17
- vault_url: str, Key Vault URL (https://vault-name.vault.azure.net/)
18
- credential: Azure credential object for authentication
19
- api_version: ApiVersion, API version to use (default: latest)
20
- **kwargs: Additional configuration options
21
"""
22
23
def close(self) -> None:
24
"""Close the client and release resources."""
25
```
26
27
### Certificate Creation
28
29
Create new certificates using policies and certificate authorities.
30
31
```python { .api }
32
def create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> KeyVaultCertificate:
33
"""
34
Create a certificate synchronously (for self-signed certificates).
35
36
Parameters:
37
- certificate_name: str, unique certificate name
38
- policy: CertificatePolicy, certificate creation policy
39
- enabled: bool, whether certificate is enabled
40
- tags: Dict[str, str], custom metadata
41
42
Returns:
43
KeyVaultCertificate with certificate data
44
"""
45
46
def begin_create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> LROPoller[KeyVaultCertificate]:
47
"""
48
Begin certificate creation (long-running operation for CA certificates).
49
50
Parameters:
51
- certificate_name: str, unique certificate name
52
- policy: CertificatePolicy, certificate creation policy
53
- enabled: bool, whether certificate is enabled
54
- tags: Dict[str, str], custom metadata
55
56
Returns:
57
LROPoller for tracking certificate creation progress
58
"""
59
60
def import_certificate(self, certificate_name: str, certificate_bytes: bytes, **kwargs) -> KeyVaultCertificate:
61
"""
62
Import existing certificate.
63
64
Parameters:
65
- certificate_name: str, unique certificate name
66
- certificate_bytes: bytes, certificate data (PFX or PEM)
67
- password: str, password for PFX certificates
68
- policy: CertificatePolicy, optional policy for imported certificate
69
- enabled: bool, whether certificate is enabled
70
- tags: Dict[str, str], custom metadata
71
72
Returns:
73
KeyVaultCertificate with imported certificate
74
"""
75
```
76
77
### Certificate Retrieval
78
79
Retrieve certificates and their versions from the vault.
80
81
```python { .api }
82
def get_certificate(self, certificate_name: str, **kwargs) -> KeyVaultCertificate:
83
"""
84
Get latest version of a certificate.
85
86
Parameters:
87
- certificate_name: str, certificate name
88
89
Returns:
90
KeyVaultCertificate with certificate data
91
"""
92
93
def get_certificate_version(self, certificate_name: str, version: str, **kwargs) -> KeyVaultCertificate:
94
"""
95
Get specific version of a certificate.
96
97
Parameters:
98
- certificate_name: str, certificate name
99
- version: str, certificate version
100
101
Returns:
102
KeyVaultCertificate with certificate data
103
"""
104
105
def list_properties_of_certificates(**kwargs) -> ItemPaged[CertificateProperties]:
106
"""
107
List all certificates in the vault.
108
109
Parameters:
110
- include_pending: bool, include pending certificates
111
- max_page_size: int, maximum items per page
112
113
Returns:
114
Paginated list of CertificateProperties
115
"""
116
117
def list_properties_of_certificate_versions(self, certificate_name: str, **kwargs) -> ItemPaged[CertificateProperties]:
118
"""
119
List all versions of a specific certificate.
120
121
Parameters:
122
- certificate_name: str, certificate name
123
- max_page_size: int, maximum items per page
124
125
Returns:
126
Paginated list of CertificateProperties for all versions
127
"""
128
```
129
130
### Certificate Operations
131
132
Update, delete, and manage certificate lifecycle.
133
134
```python { .api }
135
def update_certificate_properties(self, certificate_name: str, version: str = None, **kwargs) -> KeyVaultCertificate:
136
"""
137
Update certificate properties and metadata.
138
139
Parameters:
140
- certificate_name: str, certificate name
141
- version: str, specific version (default: latest)
142
- enabled: bool, enable/disable certificate
143
- tags: Dict[str, str], custom metadata
144
145
Returns:
146
KeyVaultCertificate with updated properties
147
"""
148
149
def begin_delete_certificate(self, certificate_name: str, **kwargs) -> LROPoller[DeletedCertificate]:
150
"""
151
Delete a certificate (soft delete) - long-running operation.
152
153
Parameters:
154
- certificate_name: str, certificate name to delete
155
156
Returns:
157
LROPoller[DeletedCertificate] for tracking deletion progress
158
"""
159
160
def get_deleted_certificate(self, certificate_name: str, **kwargs) -> DeletedCertificate:
161
"""
162
Get properties of a deleted certificate.
163
164
Parameters:
165
- certificate_name: str, deleted certificate name
166
167
Returns:
168
DeletedCertificate with deletion information
169
"""
170
171
def begin_recover_deleted_certificate(self, certificate_name: str, **kwargs) -> LROPoller[KeyVaultCertificate]:
172
"""
173
Recover a deleted certificate - long-running operation.
174
175
Parameters:
176
- certificate_name: str, deleted certificate name
177
178
Returns:
179
LROPoller[KeyVaultCertificate] for tracking recovery progress
180
"""
181
182
def purge_deleted_certificate(self, certificate_name: str, **kwargs) -> None:
183
"""
184
Permanently delete a certificate.
185
186
Parameters:
187
- certificate_name: str, deleted certificate name to purge
188
"""
189
190
def list_deleted_certificates(**kwargs) -> ItemPaged[DeletedCertificate]:
191
"""
192
List all deleted certificates.
193
194
Returns:
195
Paginated list of DeletedCertificate objects
196
"""
197
```
198
199
### Certificate Backup and Restore
200
201
Backup and restore certificates for disaster recovery.
202
203
```python { .api }
204
def backup_certificate(self, certificate_name: str, **kwargs) -> bytes:
205
"""
206
Create backup of a certificate.
207
208
Parameters:
209
- certificate_name: str, certificate name to backup
210
211
Returns:
212
bytes containing encrypted backup data
213
"""
214
215
def restore_certificate_backup(self, backup: bytes, **kwargs) -> KeyVaultCertificate:
216
"""
217
Restore certificate from backup.
218
219
Parameters:
220
- backup: bytes, backup data from backup_certificate()
221
222
Returns:
223
KeyVaultCertificate with restored certificate
224
"""
225
```
226
227
### Certificate Operations Management
228
229
Manage long-running certificate operations.
230
231
```python { .api }
232
def get_certificate_operation(self, certificate_name: str, **kwargs) -> CertificateOperation:
233
"""
234
Get status of a certificate creation operation.
235
236
Parameters:
237
- certificate_name: str, certificate name
238
239
Returns:
240
CertificateOperation with operation status
241
"""
242
243
def cancel_certificate_operation(self, certificate_name: str, **kwargs) -> CertificateOperation:
244
"""
245
Cancel a pending certificate operation.
246
247
Parameters:
248
- certificate_name: str, certificate name
249
250
Returns:
251
CertificateOperation with cancellation status
252
"""
253
254
def delete_certificate_operation(self, certificate_name: str, **kwargs) -> CertificateOperation:
255
"""
256
Delete a certificate operation.
257
258
Parameters:
259
- certificate_name: str, certificate name
260
261
Returns:
262
CertificateOperation with deletion status
263
"""
264
265
def merge_certificate(self, certificate_name: str, x509_certificates: List[bytes], **kwargs) -> KeyVaultCertificate:
266
"""
267
Merge certificate chain with pending certificate request.
268
269
Parameters:
270
- certificate_name: str, certificate name
271
- x509_certificates: List[bytes], certificate chain to merge
272
- enabled: bool, whether merged certificate is enabled
273
- tags: Dict[str, str], custom metadata
274
275
Returns:
276
KeyVaultCertificate with merged certificate
277
"""
278
```
279
280
### Certificate Policy Management
281
282
Manage certificate policies for creation and renewal.
283
284
```python { .api }
285
def get_certificate_policy(self, certificate_name: str, **kwargs) -> CertificatePolicy:
286
"""
287
Get certificate policy.
288
289
Parameters:
290
- certificate_name: str, certificate name
291
292
Returns:
293
CertificatePolicy with policy configuration
294
"""
295
296
def update_certificate_policy(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> CertificatePolicy:
297
"""
298
Update certificate policy.
299
300
Parameters:
301
- certificate_name: str, certificate name
302
- policy: CertificatePolicy, new policy configuration
303
304
Returns:
305
CertificatePolicy with updated policy
306
"""
307
```
308
309
### Certificate Issuer Management
310
311
Manage certificate authorities and issuers.
312
313
```python { .api }
314
def create_issuer(self, issuer_name: str, provider: str, **kwargs) -> CertificateIssuer:
315
"""
316
Create or update certificate issuer.
317
318
Parameters:
319
- issuer_name: str, issuer name
320
- provider: str, issuer provider (DigiCert, GlobalSign, etc.)
321
- account_id: str, account ID with the provider
322
- password: str, password for the account
323
- organization_id: str, organization ID
324
- admin_contacts: List[AdministratorContact], administrator contacts
325
- enabled: bool, whether issuer is enabled
326
327
Returns:
328
CertificateIssuer with issuer configuration
329
"""
330
331
def get_issuer(self, issuer_name: str, **kwargs) -> CertificateIssuer:
332
"""
333
Get certificate issuer.
334
335
Parameters:
336
- issuer_name: str, issuer name
337
338
Returns:
339
CertificateIssuer with issuer information
340
"""
341
342
def list_properties_of_issuers(**kwargs) -> ItemPaged[IssuerProperties]:
343
"""
344
List all certificate issuers.
345
346
Parameters:
347
- max_page_size: int, maximum items per page
348
349
Returns:
350
Paginated list of IssuerProperties
351
"""
352
353
def update_issuer(self, issuer_name: str, **kwargs) -> CertificateIssuer:
354
"""
355
Update certificate issuer.
356
357
Parameters:
358
- issuer_name: str, issuer name
359
- provider: str, issuer provider
360
- account_id: str, account ID
361
- password: str, account password
362
- organization_id: str, organization ID
363
- admin_contacts: List[AdministratorContact], administrator contacts
364
- enabled: bool, whether issuer is enabled
365
366
Returns:
367
CertificateIssuer with updated configuration
368
"""
369
370
def delete_issuer(self, issuer_name: str, **kwargs) -> CertificateIssuer:
371
"""
372
Delete certificate issuer.
373
374
Parameters:
375
- issuer_name: str, issuer name to delete
376
377
Returns:
378
CertificateIssuer with deleted issuer information
379
"""
380
```
381
382
### Certificate Contacts Management
383
384
Manage contacts for certificate notifications.
385
386
```python { .api }
387
def set_contacts(self, contacts: List[CertificateContact], **kwargs) -> List[CertificateContact]:
388
"""
389
Set certificate contacts for notifications.
390
391
Parameters:
392
- contacts: List[CertificateContact], contact information
393
394
Returns:
395
List[CertificateContact] with set contacts
396
"""
397
398
def get_contacts(**kwargs) -> List[CertificateContact]:
399
"""
400
Get certificate contacts.
401
402
Returns:
403
List[CertificateContact] with current contacts
404
"""
405
406
def delete_contacts(**kwargs) -> List[CertificateContact]:
407
"""
408
Delete all certificate contacts.
409
410
Returns:
411
List[CertificateContact] with deleted contacts
412
"""
413
```
414
415
## Certificate Types and Enumerations
416
417
```python { .api }
418
class CertificatePolicyAction(str, Enum):
419
"""Certificate policy actions."""
420
email_contacts = "EmailContacts"
421
auto_renew = "AutoRenew"
422
423
class KeyType(str, Enum):
424
"""Key types for certificates."""
425
rsa = "RSA"
426
rsa_hsm = "RSA-HSM"
427
ec = "EC"
428
ec_hsm = "EC-HSM"
429
430
class KeyCurveName(str, Enum):
431
"""Elliptic curve names for certificates."""
432
p_256 = "P-256"
433
p_384 = "P-384"
434
p_521 = "P-521"
435
p_256k = "P-256K"
436
437
class CertificateContentType(str, Enum):
438
"""Certificate content types."""
439
pkcs12 = "application/x-pkcs12"
440
pem = "application/x-pem-file"
441
442
class KeyUsageType(str, Enum):
443
"""Certificate key usage types."""
444
digital_signature = "digitalSignature"
445
non_repudiation = "nonRepudiation"
446
key_encipherment = "keyEncipherment"
447
data_encipherment = "dataEncipherment"
448
key_agreement = "keyAgreement"
449
key_cert_sign = "keyCertSign"
450
crl_sign = "cRLSign"
451
encipher_only = "encipherOnly"
452
decipher_only = "decipherOnly"
453
454
class WellKnownIssuerNames(str, Enum):
455
"""Well-known certificate issuer names."""
456
self = "Self"
457
unknown = "Unknown"
458
```
459
460
## Certificate Model Classes
461
462
```python { .api }
463
class KeyVaultCertificate:
464
"""Represents a certificate stored in Azure Key Vault."""
465
id: str
466
name: str
467
properties: CertificateProperties
468
cer: bytes # Certificate public portion
469
policy: CertificatePolicy
470
471
class CertificateProperties:
472
"""Certificate metadata and properties."""
473
id: str
474
name: str
475
version: str
476
enabled: bool
477
expires_on: datetime
478
not_before: datetime
479
created_on: datetime
480
updated_on: datetime
481
recovery_level: str
482
vault_url: str
483
x509_thumbprint: bytes
484
tags: Dict[str, str]
485
486
class DeletedCertificate:
487
"""Represents a deleted certificate."""
488
id: str
489
name: str
490
properties: CertificateProperties
491
cer: bytes
492
policy: CertificatePolicy
493
deleted_on: datetime
494
recovery_id: str
495
scheduled_purge_date: datetime
496
497
class KeyVaultCertificateIdentifier:
498
"""Identifier for Key Vault certificates."""
499
source_id: str
500
vault_url: str
501
name: str
502
version: str
503
504
class CertificatePolicy:
505
"""Certificate policy configuration."""
506
issuer_name: str
507
subject: str
508
san_dns_names: List[str]
509
san_emails: List[str]
510
san_user_principal_names: List[str]
511
exportable: bool
512
key_type: KeyType
513
key_size: int
514
reuse_key: bool
515
curve: KeyCurveName
516
key_usage: List[KeyUsageType]
517
certificate_type: str
518
validity_in_months: int
519
lifetime_actions: List[LifetimeAction]
520
certificate_transparency: bool
521
content_type: CertificateContentType
522
523
@classmethod
524
def get_default(cls) -> "CertificatePolicy":
525
"""Get default certificate policy for self-signed certificates."""
526
527
class CertificateOperation:
528
"""Certificate operation details."""
529
id: str
530
issuer_name: str
531
certificate_type: str
532
certificate_transparency: bool
533
csr: bytes # Certificate signing request
534
cancellation_requested: bool
535
status: str
536
status_details: str
537
error: CertificateOperationError
538
target: str
539
request_id: str
540
541
class CertificateOperationError:
542
"""Certificate operation error details."""
543
code: str
544
message: str
545
inner_error: "CertificateOperationError"
546
547
class CertificateIssuer:
548
"""Certificate issuer information."""
549
id: str
550
name: str
551
provider: str
552
account_id: str
553
credentials: Dict[str, str]
554
organization_details: Dict[str, Any]
555
attributes: Dict[str, Any]
556
557
class IssuerProperties:
558
"""Certificate issuer properties."""
559
id: str
560
name: str
561
provider: str
562
created_on: datetime
563
updated_on: datetime
564
enabled: bool
565
566
class LifetimeAction:
567
"""Certificate lifetime actions."""
568
action: CertificatePolicyAction
569
lifetime_percentage: int
570
days_before_expiry: int
571
572
class CertificateContact:
573
"""Certificate contact information."""
574
email: str
575
name: str
576
phone: str
577
578
class AdministratorContact:
579
"""Certificate administrator contact."""
580
first_name: str
581
last_name: str
582
email: str
583
phone: str
584
```
585
586
## Usage Examples
587
588
### Basic Certificate Management
589
590
```python
591
from azure.keyvault.certificates import CertificateClient, CertificatePolicy
592
from azure.identity import DefaultAzureCredential
593
594
# Initialize client
595
credential = DefaultAzureCredential()
596
client = CertificateClient(vault_url="https://vault-name.vault.azure.net/", credential=credential)
597
598
# Create self-signed certificate
599
policy = CertificatePolicy.get_default()
600
policy.subject = "CN=example.com"
601
policy.san_dns_names = ["example.com", "*.example.com"]
602
603
certificate = client.create_certificate("ssl-cert", policy)
604
print(f"Created certificate: {certificate.name}")
605
606
# Get certificate
607
retrieved_cert = client.get_certificate("ssl-cert")
608
print(f"Certificate expires: {retrieved_cert.properties.expires_on}")
609
```
610
611
### Certificate with Custom Policy
612
613
```python
614
from azure.keyvault.certificates import CertificatePolicy, KeyType, CertificateContentType, KeyUsageType
615
616
# Create custom policy
617
policy = CertificatePolicy(
618
issuer_name="Self",
619
subject="CN=myapp.example.com, O=My Company, C=US",
620
san_dns_names=["myapp.example.com", "api.example.com"],
621
san_emails=["admin@example.com"],
622
exportable=True,
623
key_type=KeyType.rsa,
624
key_size=2048,
625
reuse_key=True,
626
key_usage=[KeyUsageType.digital_signature, KeyUsageType.key_encipherment],
627
validity_in_months=12,
628
content_type=CertificateContentType.pkcs12
629
)
630
631
# Create certificate with custom policy
632
cert_operation = client.begin_create_certificate("custom-cert", policy)
633
certificate = cert_operation.result()
634
```
635
636
### Import Existing Certificate
637
638
```python
639
# Import PFX certificate
640
with open("certificate.pfx", "rb") as cert_file:
641
cert_bytes = cert_file.read()
642
643
imported_cert = client.import_certificate(
644
certificate_name="imported-cert",
645
certificate_bytes=cert_bytes,
646
password="certificate-password"
647
)
648
649
# Import PEM certificate
650
with open("certificate.pem", "rb") as cert_file:
651
pem_bytes = cert_file.read()
652
653
imported_pem = client.import_certificate(
654
certificate_name="imported-pem",
655
certificate_bytes=pem_bytes
656
)
657
```
658
659
### Certificate Lifecycle Management
660
661
```python
662
from azure.keyvault.certificates import LifetimeAction, CertificatePolicyAction
663
664
# Create policy with auto-renewal
665
lifetime_action = LifetimeAction(
666
action=CertificatePolicyAction.auto_renew,
667
days_before_expiry=30
668
)
669
670
policy = CertificatePolicy.get_default()
671
policy.subject = "CN=auto-renew.example.com"
672
policy.lifetime_actions = [lifetime_action]
673
policy.validity_in_months = 12
674
675
# Create certificate with auto-renewal
676
cert = client.create_certificate("auto-renew-cert", policy)
677
678
# Update policy later
679
policy.validity_in_months = 24
680
client.update_certificate_policy("auto-renew-cert", policy)
681
```
682
683
### Working with Certificate Authorities
684
685
```python
686
from azure.keyvault.certificates import AdministratorContact
687
688
# Create issuer configuration
689
admin_contact = AdministratorContact(
690
first_name="John",
691
last_name="Doe",
692
email="admin@example.com",
693
phone="+1-555-123-4567"
694
)
695
696
issuer = client.create_issuer(
697
issuer_name="DigiCert",
698
provider="DigiCert",
699
account_id="your-account-id",
700
password="account-password",
701
admin_contacts=[admin_contact]
702
)
703
704
# Create certificate using CA
705
ca_policy = CertificatePolicy.get_default()
706
ca_policy.issuer_name = "DigiCert"
707
ca_policy.subject = "CN=production.example.com"
708
709
cert_operation = client.begin_create_certificate("ca-cert", ca_policy)
710
# This will be pending until approved by CA
711
```
712
713
### Certificate Contacts and Notifications
714
715
```python
716
from azure.keyvault.certificates import CertificateContact
717
718
# Set certificate contacts
719
contacts = [
720
CertificateContact(
721
email="security@example.com",
722
name="Security Team",
723
phone="+1-555-123-4567"
724
),
725
CertificateContact(
726
email="ops@example.com",
727
name="Operations Team"
728
)
729
]
730
731
client.set_contacts(contacts)
732
733
# Create policy with email notifications
734
email_action = LifetimeAction(
735
action=CertificatePolicyAction.email_contacts,
736
days_before_expiry=30
737
)
738
739
policy = CertificatePolicy.get_default()
740
policy.lifetime_actions = [email_action]
741
742
cert = client.create_certificate("monitored-cert", policy)
743
```