tessl/pypi-azure-keyvault
Microsoft Azure Key Vault Client Libraries for Python providing unified access to keys, secrets, and certificates
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
certificate-management.mddocs/
Certificate Management
Complete X.509 certificate lifecycle management in Azure Key Vault. Supports certificate creation, import, renewal, policy management, and integration with certificate authorities. Provides automated certificate lifecycle management, issuer management, and contact administration.
Capabilities
Certificate Client
Main client for certificate management operations with synchronous and asynchronous support.
class CertificateClient:
def __init__(self, vault_url: str, credential, **kwargs):
"""
Initialize CertificateClient for certificate management operations.
Parameters:
- vault_url: str, Key Vault URL (https://vault-name.vault.azure.net/)
- credential: Azure credential object for authentication
- api_version: ApiVersion, API version to use (default: latest)
- **kwargs: Additional configuration options
"""
def close(self) -> None:
"""Close the client and release resources."""Certificate Creation
Create new certificates using policies and certificate authorities.
def create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> KeyVaultCertificate:
"""
Create a certificate synchronously (for self-signed certificates).
Parameters:
- certificate_name: str, unique certificate name
- policy: CertificatePolicy, certificate creation policy
- enabled: bool, whether certificate is enabled
- tags: Dict[str, str], custom metadata
Returns:
KeyVaultCertificate with certificate data
"""
def begin_create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> LROPoller[KeyVaultCertificate]:
"""
Begin certificate creation (long-running operation for CA certificates).
Parameters:
- certificate_name: str, unique certificate name
- policy: CertificatePolicy, certificate creation policy
- enabled: bool, whether certificate is enabled
- tags: Dict[str, str], custom metadata
Returns:
LROPoller for tracking certificate creation progress
"""
def import_certificate(self, certificate_name: str, certificate_bytes: bytes, **kwargs) -> KeyVaultCertificate:
"""
Import existing certificate.
Parameters:
- certificate_name: str, unique certificate name
- certificate_bytes: bytes, certificate data (PFX or PEM)
- password: str, password for PFX certificates
- policy: CertificatePolicy, optional policy for imported certificate
- enabled: bool, whether certificate is enabled
- tags: Dict[str, str], custom metadata
Returns:
KeyVaultCertificate with imported certificate
"""Certificate Retrieval
Retrieve certificates and their versions from the vault.
def get_certificate(self, certificate_name: str, **kwargs) -> KeyVaultCertificate:
"""
Get latest version of a certificate.
Parameters:
- certificate_name: str, certificate name
Returns:
KeyVaultCertificate with certificate data
"""
def get_certificate_version(self, certificate_name: str, version: str, **kwargs) -> KeyVaultCertificate:
"""
Get specific version of a certificate.
Parameters:
- certificate_name: str, certificate name
- version: str, certificate version
Returns:
KeyVaultCertificate with certificate data
"""
def list_properties_of_certificates(**kwargs) -> ItemPaged[CertificateProperties]:
"""
List all certificates in the vault.
Parameters:
- include_pending: bool, include pending certificates
- max_page_size: int, maximum items per page
Returns:
Paginated list of CertificateProperties
"""
def list_properties_of_certificate_versions(self, certificate_name: str, **kwargs) -> ItemPaged[CertificateProperties]:
"""
List all versions of a specific certificate.
Parameters:
- certificate_name: str, certificate name
- max_page_size: int, maximum items per page
Returns:
Paginated list of CertificateProperties for all versions
"""Certificate Operations
Update, delete, and manage certificate lifecycle.
def update_certificate_properties(self, certificate_name: str, version: str = None, **kwargs) -> KeyVaultCertificate:
"""
Update certificate properties and metadata.
Parameters:
- certificate_name: str, certificate name
- version: str, specific version (default: latest)
- enabled: bool, enable/disable certificate
- tags: Dict[str, str], custom metadata
Returns:
KeyVaultCertificate with updated properties
"""
def begin_delete_certificate(self, certificate_name: str, **kwargs) -> LROPoller[DeletedCertificate]:
"""
Delete a certificate (soft delete) - long-running operation.
Parameters:
- certificate_name: str, certificate name to delete
Returns:
LROPoller[DeletedCertificate] for tracking deletion progress
"""
def get_deleted_certificate(self, certificate_name: str, **kwargs) -> DeletedCertificate:
"""
Get properties of a deleted certificate.
Parameters:
- certificate_name: str, deleted certificate name
Returns:
DeletedCertificate with deletion information
"""
def begin_recover_deleted_certificate(self, certificate_name: str, **kwargs) -> LROPoller[KeyVaultCertificate]:
"""
Recover a deleted certificate - long-running operation.
Parameters:
- certificate_name: str, deleted certificate name
Returns:
LROPoller[KeyVaultCertificate] for tracking recovery progress
"""
def purge_deleted_certificate(self, certificate_name: str, **kwargs) -> None:
"""
Permanently delete a certificate.
Parameters:
- certificate_name: str, deleted certificate name to purge
"""
def list_deleted_certificates(**kwargs) -> ItemPaged[DeletedCertificate]:
"""
List all deleted certificates.
Returns:
Paginated list of DeletedCertificate objects
"""Certificate Backup and Restore
Backup and restore certificates for disaster recovery.
def backup_certificate(self, certificate_name: str, **kwargs) -> bytes:
"""
Create backup of a certificate.
Parameters:
- certificate_name: str, certificate name to backup
Returns:
bytes containing encrypted backup data
"""
def restore_certificate_backup(self, backup: bytes, **kwargs) -> KeyVaultCertificate:
"""
Restore certificate from backup.
Parameters:
- backup: bytes, backup data from backup_certificate()
Returns:
KeyVaultCertificate with restored certificate
"""Certificate Operations Management
Manage long-running certificate operations.
def get_certificate_operation(self, certificate_name: str, **kwargs) -> CertificateOperation:
"""
Get status of a certificate creation operation.
Parameters:
- certificate_name: str, certificate name
Returns:
CertificateOperation with operation status
"""
def cancel_certificate_operation(self, certificate_name: str, **kwargs) -> CertificateOperation:
"""
Cancel a pending certificate operation.
Parameters:
- certificate_name: str, certificate name
Returns:
CertificateOperation with cancellation status
"""
def delete_certificate_operation(self, certificate_name: str, **kwargs) -> CertificateOperation:
"""
Delete a certificate operation.
Parameters:
- certificate_name: str, certificate name
Returns:
CertificateOperation with deletion status
"""
def merge_certificate(self, certificate_name: str, x509_certificates: List[bytes], **kwargs) -> KeyVaultCertificate:
"""
Merge certificate chain with pending certificate request.
Parameters:
- certificate_name: str, certificate name
- x509_certificates: List[bytes], certificate chain to merge
- enabled: bool, whether merged certificate is enabled
- tags: Dict[str, str], custom metadata
Returns:
KeyVaultCertificate with merged certificate
"""Certificate Policy Management
Manage certificate policies for creation and renewal.
def get_certificate_policy(self, certificate_name: str, **kwargs) -> CertificatePolicy:
"""
Get certificate policy.
Parameters:
- certificate_name: str, certificate name
Returns:
CertificatePolicy with policy configuration
"""
def update_certificate_policy(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> CertificatePolicy:
"""
Update certificate policy.
Parameters:
- certificate_name: str, certificate name
- policy: CertificatePolicy, new policy configuration
Returns:
CertificatePolicy with updated policy
"""Certificate Issuer Management
Manage certificate authorities and issuers.
def create_issuer(self, issuer_name: str, provider: str, **kwargs) -> CertificateIssuer:
"""
Create or update certificate issuer.
Parameters:
- issuer_name: str, issuer name
- provider: str, issuer provider (DigiCert, GlobalSign, etc.)
- account_id: str, account ID with the provider
- password: str, password for the account
- organization_id: str, organization ID
- admin_contacts: List[AdministratorContact], administrator contacts
- enabled: bool, whether issuer is enabled
Returns:
CertificateIssuer with issuer configuration
"""
def get_issuer(self, issuer_name: str, **kwargs) -> CertificateIssuer:
"""
Get certificate issuer.
Parameters:
- issuer_name: str, issuer name
Returns:
CertificateIssuer with issuer information
"""
def list_properties_of_issuers(**kwargs) -> ItemPaged[IssuerProperties]:
"""
List all certificate issuers.
Parameters:
- max_page_size: int, maximum items per page
Returns:
Paginated list of IssuerProperties
"""
def update_issuer(self, issuer_name: str, **kwargs) -> CertificateIssuer:
"""
Update certificate issuer.
Parameters:
- issuer_name: str, issuer name
- provider: str, issuer provider
- account_id: str, account ID
- password: str, account password
- organization_id: str, organization ID
- admin_contacts: List[AdministratorContact], administrator contacts
- enabled: bool, whether issuer is enabled
Returns:
CertificateIssuer with updated configuration
"""
def delete_issuer(self, issuer_name: str, **kwargs) -> CertificateIssuer:
"""
Delete certificate issuer.
Parameters:
- issuer_name: str, issuer name to delete
Returns:
CertificateIssuer with deleted issuer information
"""Certificate Contacts Management
Manage contacts for certificate notifications.
def set_contacts(self, contacts: List[CertificateContact], **kwargs) -> List[CertificateContact]:
"""
Set certificate contacts for notifications.
Parameters:
- contacts: List[CertificateContact], contact information
Returns:
List[CertificateContact] with set contacts
"""
def get_contacts(**kwargs) -> List[CertificateContact]:
"""
Get certificate contacts.
Returns:
List[CertificateContact] with current contacts
"""
def delete_contacts(**kwargs) -> List[CertificateContact]:
"""
Delete all certificate contacts.
Returns:
List[CertificateContact] with deleted contacts
"""Certificate Types and Enumerations
class CertificatePolicyAction(str, Enum):
"""Certificate policy actions."""
email_contacts = "EmailContacts"
auto_renew = "AutoRenew"
class KeyType(str, Enum):
"""Key types for certificates."""
rsa = "RSA"
rsa_hsm = "RSA-HSM"
ec = "EC"
ec_hsm = "EC-HSM"
class KeyCurveName(str, Enum):
"""Elliptic curve names for certificates."""
p_256 = "P-256"
p_384 = "P-384"
p_521 = "P-521"
p_256k = "P-256K"
class CertificateContentType(str, Enum):
"""Certificate content types."""
pkcs12 = "application/x-pkcs12"
pem = "application/x-pem-file"
class KeyUsageType(str, Enum):
"""Certificate key usage types."""
digital_signature = "digitalSignature"
non_repudiation = "nonRepudiation"
key_encipherment = "keyEncipherment"
data_encipherment = "dataEncipherment"
key_agreement = "keyAgreement"
key_cert_sign = "keyCertSign"
crl_sign = "cRLSign"
encipher_only = "encipherOnly"
decipher_only = "decipherOnly"
class WellKnownIssuerNames(str, Enum):
"""Well-known certificate issuer names."""
self = "Self"
unknown = "Unknown"Certificate Model Classes
class KeyVaultCertificate:
"""Represents a certificate stored in Azure Key Vault."""
id: str
name: str
properties: CertificateProperties
cer: bytes # Certificate public portion
policy: CertificatePolicy
class CertificateProperties:
"""Certificate metadata and properties."""
id: str
name: str
version: str
enabled: bool
expires_on: datetime
not_before: datetime
created_on: datetime
updated_on: datetime
recovery_level: str
vault_url: str
x509_thumbprint: bytes
tags: Dict[str, str]
class DeletedCertificate:
"""Represents a deleted certificate."""
id: str
name: str
properties: CertificateProperties
cer: bytes
policy: CertificatePolicy
deleted_on: datetime
recovery_id: str
scheduled_purge_date: datetime
class KeyVaultCertificateIdentifier:
"""Identifier for Key Vault certificates."""
source_id: str
vault_url: str
name: str
version: str
class CertificatePolicy:
"""Certificate policy configuration."""
issuer_name: str
subject: str
san_dns_names: List[str]
san_emails: List[str]
san_user_principal_names: List[str]
exportable: bool
key_type: KeyType
key_size: int
reuse_key: bool
curve: KeyCurveName
key_usage: List[KeyUsageType]
certificate_type: str
validity_in_months: int
lifetime_actions: List[LifetimeAction]
certificate_transparency: bool
content_type: CertificateContentType
@classmethod
def get_default(cls) -> "CertificatePolicy":
"""Get default certificate policy for self-signed certificates."""
class CertificateOperation:
"""Certificate operation details."""
id: str
issuer_name: str
certificate_type: str
certificate_transparency: bool
csr: bytes # Certificate signing request
cancellation_requested: bool
status: str
status_details: str
error: CertificateOperationError
target: str
request_id: str
class CertificateOperationError:
"""Certificate operation error details."""
code: str
message: str
inner_error: "CertificateOperationError"
class CertificateIssuer:
"""Certificate issuer information."""
id: str
name: str
provider: str
account_id: str
credentials: Dict[str, str]
organization_details: Dict[str, Any]
attributes: Dict[str, Any]
class IssuerProperties:
"""Certificate issuer properties."""
id: str
name: str
provider: str
created_on: datetime
updated_on: datetime
enabled: bool
class LifetimeAction:
"""Certificate lifetime actions."""
action: CertificatePolicyAction
lifetime_percentage: int
days_before_expiry: int
class CertificateContact:
"""Certificate contact information."""
email: str
name: str
phone: str
class AdministratorContact:
"""Certificate administrator contact."""
first_name: str
last_name: str
email: str
phone: strUsage Examples
Basic Certificate Management
from azure.keyvault.certificates import CertificateClient, CertificatePolicy
from azure.identity import DefaultAzureCredential
# Initialize client
credential = DefaultAzureCredential()
client = CertificateClient(vault_url="https://vault-name.vault.azure.net/", credential=credential)
# Create self-signed certificate
policy = CertificatePolicy.get_default()
policy.subject = "CN=example.com"
policy.san_dns_names = ["example.com", "*.example.com"]
certificate = client.create_certificate("ssl-cert", policy)
print(f"Created certificate: {certificate.name}")
# Get certificate
retrieved_cert = client.get_certificate("ssl-cert")
print(f"Certificate expires: {retrieved_cert.properties.expires_on}")Certificate with Custom Policy
from azure.keyvault.certificates import CertificatePolicy, KeyType, CertificateContentType, KeyUsageType
# Create custom policy
policy = CertificatePolicy(
issuer_name="Self",
subject="CN=myapp.example.com, O=My Company, C=US",
san_dns_names=["myapp.example.com", "api.example.com"],
san_emails=["admin@example.com"],
exportable=True,
key_type=KeyType.rsa,
key_size=2048,
reuse_key=True,
key_usage=[KeyUsageType.digital_signature, KeyUsageType.key_encipherment],
validity_in_months=12,
content_type=CertificateContentType.pkcs12
)
# Create certificate with custom policy
cert_operation = client.begin_create_certificate("custom-cert", policy)
certificate = cert_operation.result()Import Existing Certificate
# Import PFX certificate
with open("certificate.pfx", "rb") as cert_file:
cert_bytes = cert_file.read()
imported_cert = client.import_certificate(
certificate_name="imported-cert",
certificate_bytes=cert_bytes,
password="certificate-password"
)
# Import PEM certificate
with open("certificate.pem", "rb") as cert_file:
pem_bytes = cert_file.read()
imported_pem = client.import_certificate(
certificate_name="imported-pem",
certificate_bytes=pem_bytes
)Certificate Lifecycle Management
from azure.keyvault.certificates import LifetimeAction, CertificatePolicyAction
# Create policy with auto-renewal
lifetime_action = LifetimeAction(
action=CertificatePolicyAction.auto_renew,
days_before_expiry=30
)
policy = CertificatePolicy.get_default()
policy.subject = "CN=auto-renew.example.com"
policy.lifetime_actions = [lifetime_action]
policy.validity_in_months = 12
# Create certificate with auto-renewal
cert = client.create_certificate("auto-renew-cert", policy)
# Update policy later
policy.validity_in_months = 24
client.update_certificate_policy("auto-renew-cert", policy)Working with Certificate Authorities
from azure.keyvault.certificates import AdministratorContact
# Create issuer configuration
admin_contact = AdministratorContact(
first_name="John",
last_name="Doe",
email="admin@example.com",
phone="+1-555-123-4567"
)
issuer = client.create_issuer(
issuer_name="DigiCert",
provider="DigiCert",
account_id="your-account-id",
password="account-password",
admin_contacts=[admin_contact]
)
# Create certificate using CA
ca_policy = CertificatePolicy.get_default()
ca_policy.issuer_name = "DigiCert"
ca_policy.subject = "CN=production.example.com"
cert_operation = client.begin_create_certificate("ca-cert", ca_policy)
# This will be pending until approved by CACertificate Contacts and Notifications
from azure.keyvault.certificates import CertificateContact
# Set certificate contacts
contacts = [
CertificateContact(
email="security@example.com",
name="Security Team",
phone="+1-555-123-4567"
),
CertificateContact(
email="ops@example.com",
name="Operations Team"
)
]
client.set_contacts(contacts)
# Create policy with email notifications
email_action = LifetimeAction(
action=CertificatePolicyAction.email_contacts,
days_before_expiry=30
)
policy = CertificatePolicy.get_default()
policy.lifetime_actions = [email_action]
cert = client.create_certificate("monitored-cert", policy)Install with Tessl CLI
npx tessl i tessl/pypi-azure-keyvault