azure.keyvault.certificates.aio package

Submodules

azure.keyvault.certificates.aio.client module

class azure.keyvault.certificates.aio.client.CertificateClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]

A high-level asynchronous interface for managing a vault’s certificates.

Parameters
  • vault_url (str) – URL of the vault the client will access

  • credential – An object which can provide an access token for the vault, such as a credential from azure.identity.aio

Keyword arguments
  • api_version: version of the Key Vault API to use. Defaults to the most recent.

  • transport: AsyncHttpTransport to use. Defaults to AioHttpTransport.

Example

Creates a new instance of the Certificate client

from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.certificates.aio import CertificateClient

# Create a KeyVaultCertificate using default Azure credentials
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url, credential)

async backup_certificate(name: str, **kwargs: **Any) → bytes[source]

Backs up the specified certificate.

Requests that a backup of the specified certificate be downloaded to the client. All versions of the certificate will be downloaded. This operation requires the certificates/backup permission.

Parameters

name (str) – The name of the certificate.

Returns

the backup blob containing the backed up certificate.

Return type

bytes

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate backup

# backup certificate
certificate_backup = await certificate_client.backup_certificate(name=cert_name)

# returns the raw bytes of the backed up certificate
print(certificate_backup)

async cancel_certificate_operation(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateOperation[source]

Cancels a certificate operation.

Cancels a certificate creation operation that is already in progress. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The cancelled certificate operation

Return type

CertificateOperation

Raises

HttpResponseError

async create_certificate(name: str, policy: azure.keyvault.certificates.models.CertificatePolicy, **kwargs: **Any) → Union[azure.keyvault.certificates.models.KeyVaultCertificate, azure.keyvault.certificates.models.CertificateOperation][source]

Creates a new certificate.

If this is the first version, the certificate resource is created. This operation requires the certificates/create permission.

Parameters
  • name (str) – The name of the certificate.

  • policy (CertificatePolicy) – The management policy for the certificate.

Returns

A coroutine for the creation of the certificate. Awaiting the coroutine returns the created KeyVaultCertificate if creation is successful, the CertificateOperation if not.

Return type

KeyVaultCertificate or CertificateOperation

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Create a certificate
from azure.keyvault.certificates import CertificatePolicy, SecretContentType

# specify the certificate policy
cert_policy = CertificatePolicy(
    exportable=True,
    key_type="RSA",
    key_size=2048,
    reuse_key=False,
    content_type=SecretContentType.PKCS12,
    issuer_name="Self",
    subject_name="CN=*.microsoft.com",
    validity_in_months=24,
    san_dns_names=["sdk.azure-int.net"],
)
cert_name = "cert-name"
# create a certificate with optional arguments, returns an async poller
create_certificate_poller = certificate_client.create_certificate(name=cert_name, policy=cert_policy)

# awaiting the certificate poller gives us the result of the long running operation
certificate = await create_certificate_poller

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

async create_contacts(contacts: Iterable[azure.keyvault.certificates.models.CertificateContact], **kwargs: **Any) → List[azure.keyvault.certificates.models.CertificateContact][source]

Sets the certificate contacts for the key vault.

Sets the certificate contacts for the key vault. This operation requires the certificates/managecontacts permission.

Parameters

contacts (list[CertificateContact]) – The contact list for the vault certificates.

Returns

The created list of contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Create contacts

# Create a list of the contacts that you want to set for this key vault.
contact_list = [
    CertificateContact(email="admin@contoso.com", name="John Doe", phone="1111111111"),
    CertificateContact(email="admin2@contoso.com", name="John Doe2", phone="2222222222"),
]

contacts = await certificate_client.create_contacts(contacts=contact_list)
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

async create_issuer(name: str, provider: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Sets the specified certificate issuer.

The SetCertificateIssuer operation adds or updates the specified certificate issuer. This operation requires the certificates/setissuers permission.

Parameters
  • name (str) – The name of the issuer.

  • provider (str) – The issuer provider.

Returns

The created CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

Example

Create an issuer

# First we specify the AdministratorDetails for a issuer.
admin_details = [
    AdministratorDetails(first_name="John", last_name="Doe", email="admin@microsoft.com", phone="4255555555")
]

issuer = await certificate_client.create_issuer(
    name="issuer1", provider="Test", account_id="keyvaultuser", admin_details=admin_details, enabled=True
)

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

async delete_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.DeletedCertificate[source]

Deletes a certificate from the key vault.

Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Delete a certificate

# delete a certificate
deleted_certificate = await certificate_client.delete_certificate(name=cert_name)

print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's
# scheduled purge date, deleted_date, and recovery id are available
print(deleted_certificate.deleted_date)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

async delete_certificate_operation(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateOperation[source]

Deletes the creation operation for a specific certificate.

Deletes the creation operation for a specified certificate that is in the process of being created. The certificate is no longer created. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted CertificateOperation

Return type

CertificateOperation

Raises

ResourceNotFoundError if the operation doesn’t exist, HttpResponseError for other errors

async delete_contacts(**kwargs: **Any) → List[azure.keyvault.certificates.models.CertificateContact][source]

Deletes the certificate contacts for the key vault.

Deletes the certificate contacts for the key vault certificate. This operation requires the certificates/managecontacts permission.

Returns

Contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Delete contacts

deleted_contacts = await certificate_client.delete_contacts()

for deleted_contact in deleted_contacts:
    print(deleted_contact.name)
    print(deleted_contact.email)
    print(deleted_contact.phone)

async delete_issuer(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Deletes the specified certificate issuer.

Permanently removes the specified certificate issuer from the vault. This operation requires the certificates/manageissuers/deleteissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Example

Delete an issuer

deleted_issuer = await certificate_client.delete_issuer(name="issuer1")

print(deleted_issuer.name)
print(deleted_issuer.properties.provider)
print(deleted_issuer.account_id)

for admin_detail in deleted_issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

async get_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Gets a certificate with its management policy attached.

This operation requires the certificates/get permission. Does not accept the version of the certificate as a parameter. If you wish to specify version, use the get_certificate_version function and specify the desired version.

Parameters

name (str) – The name of the certificate in the given vault.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the latest version of a certificate
certificate = await certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

async get_certificate_operation(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateOperation[source]

Gets the creation operation of a certificate.

Gets the creation operation associated with a specified certificate. This operation requires the certificates/get permission.

Parameters

name (str) – The name of the certificate.

Returns

The created CertificateOperation

Return type

CertificateOperation

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

async get_certificate_version(name: str, version: str, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Gets a specific version of a certificate without returning its management policy.

If you wish to get the latest version of your certificate, or to get the certificate’s policy as well, use the get_certificate function.

Parameters
  • name (str) – The name of the certificate in the given vault.

  • version (str) – The version of the certificate.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the latest version of a certificate
certificate = await certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

async get_contacts(**kwargs: **Any) → List[azure.keyvault.certificates.models.CertificateContact][source]

Gets the certificate contacts for the key vault.

Returns the set of certificate contact resources in the specified key vault. This operation requires the certificates/managecontacts permission.

Returns

The certificate contacts for the key vault.

Return type

list[azure.keyvault.certificates.models.CertificateContact]

Raises

HttpResponseError

Example

Get contacts

contacts = await certificate_client.get_contacts()

# Loop through the certificate contacts for this key vault.
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

async get_deleted_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.DeletedCertificate[source]

Retrieves information about the specified deleted certificate.

Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level. This operation requires the certificates/ get permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a deleted certificate

# get a deleted certificate (requires soft-delete enabled for the vault)
deleted_certificate = await certificate_client.get_deleted_certificate(name="cert-name")
print(deleted_certificate.name)

async get_issuer(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Gets the specified certificate issuer.

Returns the specified certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

The specified certificate issuer.

Return type

CertificateIssuer

Raises

ResourceNotFoundError if the issuer doesn’t exist, HttpResponseError for other errors

Example

Get an issuer

issuer = await certificate_client.get_issuer(name="issuer1")

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

async get_policy(certificate_name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificatePolicy[source]

Gets the policy for a certificate.

Returns the specified certificate policy resources in the key vault. This operation requires the certificates/get permission.

Parameters

certificate_name (str) – The name of the certificate in a given key vault.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

async import_certificate(name: str, certificate_bytes: bytes, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Imports a certificate into a specified key vault.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.

Parameters
  • name (str) – The name of the certificate.

  • certificate_bytes (bytes) – Bytes of the certificate object to import. This certificate needs to contain the private key.

Returns

The imported KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

  • password (str) - If the private key in the passed in certificate is encrypted, it is the password used for encryption.

  • policy (~azure.keyvault.certificates.models.CertificatePolicy) - The management policy for the certificate.

list_certificate_versions(name: str, **kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.CertificateProperties][source]

List the versions of a certificate.

The GetCertificateVersions operation returns the versions of a certificate in the key vault. This operation requires the certificates/list permission.

Parameters

name (str) – The name of the certificate.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Example

List all versions of a certificate

# get an iterator of all versions of a certificate
certificate_versions = certificate_client.list_certificate_versions(name="cert-name")

async for certificate in certificate_versions:
    print(certificate.id)
    print(certificate.properties.updated_on)
    print(certificate.properties.version)

list_certificates(**kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.CertificateProperties][source]

List certificates in the key vault.

The GetCertificates operation returns the set of certificates resources in the key vault. This operation requires the certificates/list permission.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely provisioned.

Example

List all certificates

# list certificates
certificates = certificate_client.list_certificates()

async for certificate in certificates:
    print(certificate.id)
    print(certificate.created_on)
    print(certificate.name)
    print(certificate.updated_on)
    print(certificate.enabled)

list_deleted_certificates(**kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.DeletedCertificate][source]

Lists the deleted certificates in the specified vault currently available for recovery.

Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.

Returns

An iterator like instance of DeletedCertificate

Return type

ItemPaged[DeletedCertificate]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely deleted.

Example

List all the deleted certificates

# get an iterator of deleted certificates (requires soft-delete enabled for the vault)
deleted_certificates = certificate_client.list_deleted_certificates()

async for certificate in deleted_certificates:
    print(certificate.id)
    print(certificate.name)
    print(certificate.scheduled_purge_date)
    print(certificate.recovery_id)
    print(certificate.deleted_date)

list_issuers(**kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.IssuerProperties][source]

List certificate issuers for the key vault.

Returns the set of certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Returns

An iterator like instance of Issuers

Return type

ItemPaged[CertificateIssuer]

Raises

HttpResponseError

Example

List issuers of a vault

issuers = certificate_client.list_issuers()

async for issuer in issuers:
    print(issuer.name)
    print(issuer.provider)

async merge_certificate(name: str, x509_certificates: List[bytearray], **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Merges a certificate or a certificate chain with a key pair existing on the server.

Performs the merging of a certificate or certificate chain with a key pair currently available in the service. This operation requires the certificates/create permission. Make sure when creating the certificate to merge using create_certificate that you set its issuer to ‘Unknown’. This way Key Vault knows that the certificate will not be signed by an issuer known to it.

Parameters
  • name (str) – The name of the certificate

  • x509_certificates (list[bytearray]) – The certificate or the certificate chain to merge.

Returns

The merged certificate operation

Return type

CertificateOperation

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

async purge_deleted_certificate(name: str, **kwargs: **Any) → None[source]

Permanently deletes the specified deleted certificate.

Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specified ‘Purgeable’. This operation requires the certificate/purge permission.

Parameters

name (str) – The name of the certificate

Returns

None

Return type

None

Raises

HttpResponseError

async recover_deleted_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Recovers the deleted certificate back to its current version under /certificates.

Performs the reversal of the Delete operation. THe operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate’s attributes). This operation requires the certificates/recover permission.

Parameters

name (str) – The name of the deleted certificate

Returns

The recovered certificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Recover a deleted certificate

# recover deleted certificate to its latest version (requires soft-delete enabled for the vault)
recovered_certificate = await certificate_client.recover_deleted_certificate(name="cert-name")
print(recovered_certificate.id)
print(recovered_certificate.name)

async restore_certificate_backup(backup: bytes, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Restores a backed up certificate to a vault.

Restores a backed up certificate, and all its versions, to a vault. this operation requires the certificates/restore permission.

Parameters

backup (bytes) – The backup blob associated with a certificate bundle.

Returns

The restored KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Restore a certificate backup

# restores a certificate backup
restored_certificate = await certificate_client.restore_certificate_backup(certificate_backup)
print(restored_certificate.id)
print(restored_certificate.name)
print(restored_certificate.properties.version)

async update_certificate_properties(name: str, version: Optional[str] = None, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Updates the specified attributes associated with the given certificate.

The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate’s attributes. This operation requires the certificates/update permission.

Parameters
  • name (str) – The name of the certificate in the given key vault.

  • version (str) – The version of the certificate.

Returns

The updated KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Update a certificate’s attributes

# update attributes of an existing certificate
tags = {"foo": "updated tag"}
updated_certificate = await certificate_client.update_certificate_properties(certificate.name, tags=tags)

print(updated_certificate.properties.version)
print(updated_certificate.properties.updated_on)
print(updated_certificate.properties.tags)

async update_issuer(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Updates the specified certificate issuer.

Performs an update on the specified certificate issuer entity. This operation requires the certificates/setissuers permission.

Parameters
  • name (str) – The name of the issuer.

  • provider (str) – The issuer provider.

Returns

The updated issuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • provider (str) - The issuer provider.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

async update_policy(certificate_name: str, policy: azure.keyvault.certificates.models.CertificatePolicy, **kwargs: **Any) → azure.keyvault.certificates.models.CertificatePolicy[source]

Updates the policy for a certificate.

Set specified members in the certificate policy. Leaves others as null. This operation requries the certificates/update permission.

Parameters
  • certificate_name (str) – The name of the certificate in the given vault.

  • policy (CertificatePolicy) – The policy for the certificate.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

property vault_url

Module contents

class azure.keyvault.certificates.aio.CertificateClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]

A high-level asynchronous interface for managing a vault’s certificates.

Parameters
  • vault_url (str) – URL of the vault the client will access

  • credential – An object which can provide an access token for the vault, such as a credential from azure.identity.aio

Keyword arguments
  • api_version: version of the Key Vault API to use. Defaults to the most recent.

  • transport: AsyncHttpTransport to use. Defaults to AioHttpTransport.

Example

Creates a new instance of the Certificate client

from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.certificates.aio import CertificateClient

# Create a KeyVaultCertificate using default Azure credentials
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url, credential)

async backup_certificate(name: str, **kwargs: **Any) → bytes[source]

Backs up the specified certificate.

Requests that a backup of the specified certificate be downloaded to the client. All versions of the certificate will be downloaded. This operation requires the certificates/backup permission.

Parameters

name (str) – The name of the certificate.

Returns

the backup blob containing the backed up certificate.

Return type

bytes

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate backup

# backup certificate
certificate_backup = await certificate_client.backup_certificate(name=cert_name)

# returns the raw bytes of the backed up certificate
print(certificate_backup)

async cancel_certificate_operation(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateOperation[source]

Cancels a certificate operation.

Cancels a certificate creation operation that is already in progress. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The cancelled certificate operation

Return type

CertificateOperation

Raises

HttpResponseError

async create_certificate(name: str, policy: azure.keyvault.certificates.models.CertificatePolicy, **kwargs: **Any) → Union[azure.keyvault.certificates.models.KeyVaultCertificate, azure.keyvault.certificates.models.CertificateOperation][source]

Creates a new certificate.

If this is the first version, the certificate resource is created. This operation requires the certificates/create permission.

Parameters
  • name (str) – The name of the certificate.

  • policy (CertificatePolicy) – The management policy for the certificate.

Returns

A coroutine for the creation of the certificate. Awaiting the coroutine returns the created KeyVaultCertificate if creation is successful, the CertificateOperation if not.

Return type

KeyVaultCertificate or CertificateOperation

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Create a certificate
from azure.keyvault.certificates import CertificatePolicy, SecretContentType

# specify the certificate policy
cert_policy = CertificatePolicy(
    exportable=True,
    key_type="RSA",
    key_size=2048,
    reuse_key=False,
    content_type=SecretContentType.PKCS12,
    issuer_name="Self",
    subject_name="CN=*.microsoft.com",
    validity_in_months=24,
    san_dns_names=["sdk.azure-int.net"],
)
cert_name = "cert-name"
# create a certificate with optional arguments, returns an async poller
create_certificate_poller = certificate_client.create_certificate(name=cert_name, policy=cert_policy)

# awaiting the certificate poller gives us the result of the long running operation
certificate = await create_certificate_poller

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

async create_contacts(contacts: Iterable[azure.keyvault.certificates.models.CertificateContact], **kwargs: **Any) → List[azure.keyvault.certificates.models.CertificateContact][source]

Sets the certificate contacts for the key vault.

Sets the certificate contacts for the key vault. This operation requires the certificates/managecontacts permission.

Parameters

contacts (list[CertificateContact]) – The contact list for the vault certificates.

Returns

The created list of contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Create contacts

# Create a list of the contacts that you want to set for this key vault.
contact_list = [
    CertificateContact(email="admin@contoso.com", name="John Doe", phone="1111111111"),
    CertificateContact(email="admin2@contoso.com", name="John Doe2", phone="2222222222"),
]

contacts = await certificate_client.create_contacts(contacts=contact_list)
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

async create_issuer(name: str, provider: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Sets the specified certificate issuer.

The SetCertificateIssuer operation adds or updates the specified certificate issuer. This operation requires the certificates/setissuers permission.

Parameters
  • name (str) – The name of the issuer.

  • provider (str) – The issuer provider.

Returns

The created CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

Example

Create an issuer

# First we specify the AdministratorDetails for a issuer.
admin_details = [
    AdministratorDetails(first_name="John", last_name="Doe", email="admin@microsoft.com", phone="4255555555")
]

issuer = await certificate_client.create_issuer(
    name="issuer1", provider="Test", account_id="keyvaultuser", admin_details=admin_details, enabled=True
)

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

async delete_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.DeletedCertificate[source]

Deletes a certificate from the key vault.

Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Delete a certificate

# delete a certificate
deleted_certificate = await certificate_client.delete_certificate(name=cert_name)

print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's
# scheduled purge date, deleted_date, and recovery id are available
print(deleted_certificate.deleted_date)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

async delete_certificate_operation(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateOperation[source]

Deletes the creation operation for a specific certificate.

Deletes the creation operation for a specified certificate that is in the process of being created. The certificate is no longer created. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted CertificateOperation

Return type

CertificateOperation

Raises

ResourceNotFoundError if the operation doesn’t exist, HttpResponseError for other errors

async delete_contacts(**kwargs: **Any) → List[azure.keyvault.certificates.models.CertificateContact][source]

Deletes the certificate contacts for the key vault.

Deletes the certificate contacts for the key vault certificate. This operation requires the certificates/managecontacts permission.

Returns

Contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Delete contacts

deleted_contacts = await certificate_client.delete_contacts()

for deleted_contact in deleted_contacts:
    print(deleted_contact.name)
    print(deleted_contact.email)
    print(deleted_contact.phone)

async delete_issuer(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Deletes the specified certificate issuer.

Permanently removes the specified certificate issuer from the vault. This operation requires the certificates/manageissuers/deleteissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Example

Delete an issuer

deleted_issuer = await certificate_client.delete_issuer(name="issuer1")

print(deleted_issuer.name)
print(deleted_issuer.properties.provider)
print(deleted_issuer.account_id)

for admin_detail in deleted_issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

async get_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Gets a certificate with its management policy attached.

This operation requires the certificates/get permission. Does not accept the version of the certificate as a parameter. If you wish to specify version, use the get_certificate_version function and specify the desired version.

Parameters

name (str) – The name of the certificate in the given vault.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the latest version of a certificate
certificate = await certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

async get_certificate_operation(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateOperation[source]

Gets the creation operation of a certificate.

Gets the creation operation associated with a specified certificate. This operation requires the certificates/get permission.

Parameters

name (str) – The name of the certificate.

Returns

The created CertificateOperation

Return type

CertificateOperation

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

async get_certificate_version(name: str, version: str, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Gets a specific version of a certificate without returning its management policy.

If you wish to get the latest version of your certificate, or to get the certificate’s policy as well, use the get_certificate function.

Parameters
  • name (str) – The name of the certificate in the given vault.

  • version (str) – The version of the certificate.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the latest version of a certificate
certificate = await certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

async get_contacts(**kwargs: **Any) → List[azure.keyvault.certificates.models.CertificateContact][source]

Gets the certificate contacts for the key vault.

Returns the set of certificate contact resources in the specified key vault. This operation requires the certificates/managecontacts permission.

Returns

The certificate contacts for the key vault.

Return type

list[azure.keyvault.certificates.models.CertificateContact]

Raises

HttpResponseError

Example

Get contacts

contacts = await certificate_client.get_contacts()

# Loop through the certificate contacts for this key vault.
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

async get_deleted_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.DeletedCertificate[source]

Retrieves information about the specified deleted certificate.

Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level. This operation requires the certificates/ get permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a deleted certificate

# get a deleted certificate (requires soft-delete enabled for the vault)
deleted_certificate = await certificate_client.get_deleted_certificate(name="cert-name")
print(deleted_certificate.name)

async get_issuer(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Gets the specified certificate issuer.

Returns the specified certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

The specified certificate issuer.

Return type

CertificateIssuer

Raises

ResourceNotFoundError if the issuer doesn’t exist, HttpResponseError for other errors

Example

Get an issuer

issuer = await certificate_client.get_issuer(name="issuer1")

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

async get_policy(certificate_name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificatePolicy[source]

Gets the policy for a certificate.

Returns the specified certificate policy resources in the key vault. This operation requires the certificates/get permission.

Parameters

certificate_name (str) – The name of the certificate in a given key vault.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

async import_certificate(name: str, certificate_bytes: bytes, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Imports a certificate into a specified key vault.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.

Parameters
  • name (str) – The name of the certificate.

  • certificate_bytes (bytes) – Bytes of the certificate object to import. This certificate needs to contain the private key.

Returns

The imported KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

  • password (str) - If the private key in the passed in certificate is encrypted, it is the password used for encryption.

  • policy (~azure.keyvault.certificates.models.CertificatePolicy) - The management policy for the certificate.

list_certificate_versions(name: str, **kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.CertificateProperties][source]

List the versions of a certificate.

The GetCertificateVersions operation returns the versions of a certificate in the key vault. This operation requires the certificates/list permission.

Parameters

name (str) – The name of the certificate.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Example

List all versions of a certificate

# get an iterator of all versions of a certificate
certificate_versions = certificate_client.list_certificate_versions(name="cert-name")

async for certificate in certificate_versions:
    print(certificate.id)
    print(certificate.properties.updated_on)
    print(certificate.properties.version)

list_certificates(**kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.CertificateProperties][source]

List certificates in the key vault.

The GetCertificates operation returns the set of certificates resources in the key vault. This operation requires the certificates/list permission.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely provisioned.

Example

List all certificates

# list certificates
certificates = certificate_client.list_certificates()

async for certificate in certificates:
    print(certificate.id)
    print(certificate.created_on)
    print(certificate.name)
    print(certificate.updated_on)
    print(certificate.enabled)

list_deleted_certificates(**kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.DeletedCertificate][source]

Lists the deleted certificates in the specified vault currently available for recovery.

Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.

Returns

An iterator like instance of DeletedCertificate

Return type

ItemPaged[DeletedCertificate]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely deleted.

Example

List all the deleted certificates

# get an iterator of deleted certificates (requires soft-delete enabled for the vault)
deleted_certificates = certificate_client.list_deleted_certificates()

async for certificate in deleted_certificates:
    print(certificate.id)
    print(certificate.name)
    print(certificate.scheduled_purge_date)
    print(certificate.recovery_id)
    print(certificate.deleted_date)

list_issuers(**kwargs: **Any) → AsyncIterable[azure.keyvault.certificates.models.IssuerProperties][source]

List certificate issuers for the key vault.

Returns the set of certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Returns

An iterator like instance of Issuers

Return type

ItemPaged[CertificateIssuer]

Raises

HttpResponseError

Example

List issuers of a vault

issuers = certificate_client.list_issuers()

async for issuer in issuers:
    print(issuer.name)
    print(issuer.provider)

async merge_certificate(name: str, x509_certificates: List[bytearray], **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Merges a certificate or a certificate chain with a key pair existing on the server.

Performs the merging of a certificate or certificate chain with a key pair currently available in the service. This operation requires the certificates/create permission. Make sure when creating the certificate to merge using create_certificate that you set its issuer to ‘Unknown’. This way Key Vault knows that the certificate will not be signed by an issuer known to it.

Parameters
  • name (str) – The name of the certificate

  • x509_certificates (list[bytearray]) – The certificate or the certificate chain to merge.

Returns

The merged certificate operation

Return type

CertificateOperation

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

async purge_deleted_certificate(name: str, **kwargs: **Any) → None[source]

Permanently deletes the specified deleted certificate.

Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specified ‘Purgeable’. This operation requires the certificate/purge permission.

Parameters

name (str) – The name of the certificate

Returns

None

Return type

None

Raises

HttpResponseError

async recover_deleted_certificate(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Recovers the deleted certificate back to its current version under /certificates.

Performs the reversal of the Delete operation. THe operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate’s attributes). This operation requires the certificates/recover permission.

Parameters

name (str) – The name of the deleted certificate

Returns

The recovered certificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Recover a deleted certificate

# recover deleted certificate to its latest version (requires soft-delete enabled for the vault)
recovered_certificate = await certificate_client.recover_deleted_certificate(name="cert-name")
print(recovered_certificate.id)
print(recovered_certificate.name)

async restore_certificate_backup(backup: bytes, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Restores a backed up certificate to a vault.

Restores a backed up certificate, and all its versions, to a vault. this operation requires the certificates/restore permission.

Parameters

backup (bytes) – The backup blob associated with a certificate bundle.

Returns

The restored KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Restore a certificate backup

# restores a certificate backup
restored_certificate = await certificate_client.restore_certificate_backup(certificate_backup)
print(restored_certificate.id)
print(restored_certificate.name)
print(restored_certificate.properties.version)

async update_certificate_properties(name: str, version: Optional[str] = None, **kwargs: **Any) → azure.keyvault.certificates.models.KeyVaultCertificate[source]

Updates the specified attributes associated with the given certificate.

The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate’s attributes. This operation requires the certificates/update permission.

Parameters
  • name (str) – The name of the certificate in the given key vault.

  • version (str) – The version of the certificate.

Returns

The updated KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Update a certificate’s attributes

# update attributes of an existing certificate
tags = {"foo": "updated tag"}
updated_certificate = await certificate_client.update_certificate_properties(certificate.name, tags=tags)

print(updated_certificate.properties.version)
print(updated_certificate.properties.updated_on)
print(updated_certificate.properties.tags)

async update_issuer(name: str, **kwargs: **Any) → azure.keyvault.certificates.models.CertificateIssuer[source]

Updates the specified certificate issuer.

Performs an update on the specified certificate issuer entity. This operation requires the certificates/setissuers permission.

Parameters
  • name (str) – The name of the issuer.

  • provider (str) – The issuer provider.

Returns

The updated issuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • provider (str) - The issuer provider.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

async update_policy(certificate_name: str, policy: azure.keyvault.certificates.models.CertificatePolicy, **kwargs: **Any) → azure.keyvault.certificates.models.CertificatePolicy[source]

Updates the policy for a certificate.

Set specified members in the certificate policy. Leaves others as null. This operation requries the certificates/update permission.

Parameters
  • certificate_name (str) – The name of the certificate in the given vault.

  • policy (CertificatePolicy) – The policy for the certificate.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

property vault_url