azure.keyvault.certificates package

Submodules

azure.keyvault.certificates.client module

class azure.keyvault.certificates.client.CertificateClient(vault_url, credential, **kwargs)[source]

A high-level interface for managing a vault’s certificates.

Parameters
  • vault_url (str) – URL of the vault the client will access

  • credential – An object which can provide an access token for the vault, such as a credential from azure.identity

Keyword arguments
  • api_version: version of the Key Vault API to use. Defaults to the most recent.

  • transport: HttpTransport to use. Defaults to RequestsTransport.

Example

Create a new CertificateClient

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

# Create a CertificateClient using default Azure credentials
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url, credential)

backup_certificate(name, **kwargs)[source]

Backs up the specified certificate.

Requests that a backup of the specified certificate be downloaded to the client. All versions of the certificate will be downloaded. This operation requires the certificates/backup permission.

Parameters

name (str) – The name of the certificate.

Returns

the backup blob containing the backed up certificate.

Return type

bytes

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate backup

# backup certificate
certificate_backup = certificate_client.backup_certificate(name=cert_name)

# returns the raw bytes of the backed up certificate
print(certificate_backup)

begin_create_certificate(name, policy, **kwargs)[source]

Creates a new certificate.

If this is the first version, the certificate resource is created. This operation requires the certificates/create permission.

Parameters
  • name (str) – The name of the certificate.

  • policy (CertificatePolicy) – The management policy for the certificate.

Returns

An LROPoller for the create certificate operation. Waiting on the poller gives you the certificate if creation is successful, the CertificateOperation if not.

Return type

LROPoller[KeyVaultCertificate or CertificateOperation]

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Create a certificate
from azure.keyvault.certificates import CertificatePolicy, SecretContentType

# specify the certificate policy
cert_policy = CertificatePolicy(
    exportable=True,
    key_type="RSA",
    key_size=2048,
    reuse_key=False,
    content_type=SecretContentType.PKCS12,
    issuer_name="Self",
    subject_name="CN=*.microsoft.com",
    validity_in_months=24,
    san_dns_names=["sdk.azure-int.net"],
)

cert_name = "cert-name"
# create a certificate with optional arguments, returns a long running operation poller
certificate_operation_poller = certificate_client.begin_create_certificate(name=cert_name, policy=cert_policy)

# Here we are waiting for the certificate creation operation to be completed
certificate = certificate_operation_poller.result()

# You can get the final status of the certificate operation poller using .result()
print(certificate_operation_poller.result())

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

cancel_certificate_operation(name, **kwargs)[source]

Cancels a certificate operation.

Cancels a certificate creation operation that is already in progress. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The cancelled certificate operation

Return type

CertificateOperation

Raises

HttpResponseError

create_contacts(contacts, **kwargs)[source]

Sets the certificate contacts for the key vault.

Sets the certificate contacts for the key vault. This operation requires the certificates/managecontacts permission.

Parameters

contacts (list[CertificateContact]) – The contact list for the vault certificates.

Returns

The created list of contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Create contacts

# Create a list of the contacts that you want to set for this key vault.
contact_list = [
    CertificateContact(email="admin@contoso.com", name="John Doe", phone="1111111111"),
    CertificateContact(email="admin2@contoso.com", name="John Doe2", phone="2222222222"),
]

contacts = certificate_client.create_contacts(contacts=contact_list)
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

create_issuer(name, provider, **kwargs)[source]

Sets the specified certificate issuer.

The SetCertificateIssuer operation adds or updates the specified certificate issuer. This operation requires the certificates/setissuers permission.

Parameters
  • name (str) – The name of the issuer.

  • provider (str) – The issuer provider.

Returns

The created CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

Example

Create an issuer

# First we specify the AdministratorDetails for a issuer.
admin_details = [
    AdministratorDetails(first_name="John", last_name="Doe", email="admin@microsoft.com", phone="4255555555")
]

issuer = certificate_client.create_issuer(
    name="issuer1", provider="Test", account_id="keyvaultuser", admin_details=admin_details, enabled=True
)

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

delete_certificate(name, **kwargs)[source]

Deletes a certificate from the key vault.

Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Delete a certificate

# delete a certificate
deleted_certificate = certificate_client.delete_certificate(name=certificate.name)

print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_date)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

delete_certificate_operation(name, **kwargs)[source]

Deletes the creation operation for a specific certificate.

Deletes the creation operation for a specified certificate that is in the process of being created. The certificate is no longer created. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted CertificateOperation

Return type

CertificateOperation

Raises

HttpResponseError

delete_contacts(**kwargs)[source]

Deletes the certificate contacts for the key vault.

Deletes the certificate contacts for the key vault certificate. This operation requires the certificates/managecontacts permission.

Returns

Contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Delete contacts

deleted_contacts = certificate_client.delete_contacts()

for deleted_contact in deleted_contacts:
    print(deleted_contact.name)
    print(deleted_contact.email)
    print(deleted_contact.phone)

delete_issuer(name, **kwargs)[source]

Deletes the specified certificate issuer.

Permanently removes the specified certificate issuer from the vault. This operation requires the certificates/manageissuers/deleteissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Example

Delete an issuer

deleted_issuer = certificate_client.delete_issuer(name="issuer1")

print(deleted_issuer.name)
print(deleted_issuer.properties.provider)
print(deleted_issuer.account_id)

for admin_detail in deleted_issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

get_certificate(name, **kwargs)[source]

Gets a certificate with its management policy attached.

This operation requires the certificates/get permission. Does not accept the version of the certificate as a parameter. If you wish to specify version, use the get_certificate_version function and specify the desired version.

Parameters

name (str) – The name of the certificate in the given vault.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the certificate
certificate = certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

get_certificate_operation(name, **kwargs)[source]

Gets the creation operation of a certificate.

Gets the creation operation associated with a specified certificate. This operation requires the certificates/get permission.

Parameters

name (str) – The name of the certificate.

Returns

The created CertificateOperation

Return type

CertificateOperation

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

get_certificate_version(name, version, **kwargs)[source]

Gets a specific version of a certificate without returning its management policy.

If you wish to get the latest version of your certificate, or to get the certificate’s policy as well, use the get_certificate function.

Parameters
  • name (str) – The name of the certificate in the given vault.

  • version (str) – The version of the certificate.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the certificate
certificate = certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

get_contacts(**kwargs)[source]

Gets the certificate contacts for the key vault.

Returns the set of certificate contact resources in the specified key vault. This operation requires the certificates/managecontacts permission.

Returns

The certificate contacts for the key vault.

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Get contacts

contacts = certificate_client.get_contacts()

# Loop through the certificate contacts for this key vault.
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

get_deleted_certificate(name, **kwargs)[source]

Retrieves information about the specified deleted certificate.

Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level. This operation requires the certificates/ get permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a deleted certificate

# get a deleted certificate (requires soft-delete enabled for the vault)
deleted_certificate = certificate_client.get_deleted_certificate(name=cert_name)
print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_date)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

get_issuer(name, **kwargs)[source]

Gets the specified certificate issuer.

Returns the specified certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

The specified certificate issuer.

Return type

CertificateIssuer

Raises

ResourceNotFoundError if the issuer doesn’t exist, HttpResponseError for other errors

Example

Get an issuer

issuer = certificate_client.get_issuer(name="issuer1")

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

get_policy(certificate_name, **kwargs)[source]

Gets the policy for a certificate.

Returns the specified certificate policy resources in the key vault. This operation requires the certificates/get permission.

Parameters

certificate_name (str) – The name of the certificate in a given key vault.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

import_certificate(name, certificate_bytes, **kwargs)[source]

Imports a certificate into a specified key vault.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.

Parameters
  • name (str) – The name of the certificate.

  • certificate_bytes (bytes) – Bytes of the certificate object to import. This certificate needs to contain the private key.

Returns

The imported KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

  • password (str) - If the private key in the passed in certificate is encrypted, it is the password used for encryption.

  • policy (~azure.keyvault.certificates.models.CertificatePolicy) - The management policy for the certificate

list_certificate_versions(name, **kwargs)[source]

List the versions of a certificate.

The GetCertificateVersions operation returns the versions of a certificate in the key vault. This operation requires the certificates/list permission.

Parameters

name (str) – The name of the certificate.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Example

List all versions of a certificate

# get an iterator of a certificate's versions
certificate_versions = certificate_client.list_certificate_versions(name="certificate-name")

for certificate in certificate_versions:
    print(certificate.id)
    print(certificate.updated_on)
    print(certificate.version)

list_certificates(**kwargs)[source]

List certificates in the key vault.

The GetCertificates operation returns the set of certificates resources in the key vault. This operation requires the certificates/list permission.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely deleted.

Example

List all certificates

# get an iterator of certificates
certificates = certificate_client.list_certificates()

for certificate in certificates:
    print(certificate.id)
    print(certificate.created_on)
    print(certificate.name)
    print(certificate.updated_on)
    print(certificate.enabled)

list_deleted_certificates(**kwargs)[source]

Lists the deleted certificates in the specified vault currently available for recovery.

Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.

Returns

An iterator like instance of DeletedCertificate

Return type

ItemPaged[DeletedCertificate]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely deleted.

Example

List all the deleted certificates

# get an iterator of deleted certificates (requires soft-delete enabled for the vault)
deleted_certificates = certificate_client.list_deleted_certificates()

for certificate in deleted_certificates:
    print(certificate.id)
    print(certificate.name)
    print(certificate.deleted_date)
    print(certificate.scheduled_purge_date)
    print(certificate.deleted_date)

list_issuers(**kwargs)[source]

List certificate issuers for the key vault.

Returns the set of certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Returns

An iterator like instance of Issuers

Return type

ItemPaged[CertificateIssuer]

Raises

HttpResponseError

Example

List issuers of a vault

issuers = certificate_client.list_issuers()

for issuer in issuers:
    print(issuer.name)
    print(issuer.provider)

merge_certificate(name, x509_certificates, **kwargs)[source]

Merges a certificate or a certificate chain with a key pair existing on the server.

Performs the merging of a certificate or certificate chain with a key pair currently available in the service. This operation requires the certificates/create permission. Make sure when creating the certificate to merge using begin_create_certificate that you set its issuer to ‘Unknown’. This way Key Vault knows that the certificate will not be signed by an issuer known to it.

Parameters
  • name (str) – The name of the certificate

  • x509_certificates (list[bytearray]) – The certificate or the certificate chain to merge.

Returns

The merged certificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

purge_deleted_certificate(name, **kwargs)[source]

Permanently deletes the specified deleted certificate.

Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specified ‘Purgeable’. This operation requires the certificate/purge permission.

Parameters

name (str) – The name of the certificate

Returns

None

Return type

None

Raises

HttpResponseError

recover_deleted_certificate(name, **kwargs)[source]

Recovers the deleted certificate back to its current version under /certificates.

Performs the reversal of the Delete operation. THe operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate’s attributes). This operation requires the certificates/recover permission.

Parameters

name (str) – The name of the deleted certificate

Returns

The recovered certificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Recover a deleted certificate

# recover a deleted certificate to its latest version (requires soft-delete enabled for the vault)
recovered_certificate = certificate_client.recover_deleted_certificate(name=cert_name)

print(recovered_certificate.id)
print(recovered_certificate.name)

restore_certificate_backup(backup, **kwargs)[source]

Restores a backed up certificate to a vault.

Restores a backed up certificate, and all its versions, to a vault. this operation requires the certificates/restore permission.

Parameters

backup (bytes) – The backup blob associated with a certificate bundle.

Returns

The restored KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Restore a certificate backup

# restore a certificate backup
restored_certificate = certificate_client.restore_certificate_backup(backup=certificate_backup)

print(restored_certificate.id)
print(restored_certificate.name)
print(restored_certificate.properties.version)

update_certificate_properties(name, version=None, **kwargs)[source]

Updates the specified attributes associated with the given certificate.

The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate’s attributes. This operation requires the certificates/update permission.

Parameters
  • name (str) – The name of the certificate in the given key vault.

  • version (str) – The version of the certificate.

Returns

The updated KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Update a certificate’s attributes

# update attributes of an existing certificate
tags = {"foo": "updated tag"}
updated_certificate = certificate_client.update_certificate_properties(name=certificate.name, tags=tags)

print(updated_certificate.properties.version)
print(updated_certificate.properties.updated_on)
print(updated_certificate.properties.tags)

update_issuer(name, **kwargs)[source]

Updates the specified certificate issuer.

Performs an update on the specified certificate issuer entity. This operation requires the certificates/setissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

The updated issuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • provider (str) - The issuer provider.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

update_policy(certificate_name, policy, **kwargs)[source]

Updates the policy for a certificate.

Set specified members in the certificate policy. Leaves others as null. This operation requires the certificates/update permission.

Parameters
  • certificate_name (str) – The name of the certificate in the given vault.

  • policy (CertificatePolicy) – The policy for the certificate.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

property vault_url

azure.keyvault.certificates.enums module

class azure.keyvault.certificates.enums.CertificatePolicyAction[source]

The supported action types for the lifetime of a certificate

auto_renew = 'AutoRenew'
email_contacts = 'EmailContacts'
class azure.keyvault.certificates.enums.KeyCurveName[source]

Supported elliptic curves

p_256 = 'P-256'

The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.

p_256_k = 'P-256K'

The SECG SECP256K1 elliptic curve.

p_384 = 'P-384'

The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.

p_521 = 'P-521'

The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.

class azure.keyvault.certificates.enums.KeyType[source]

Supported key types

ec = 'EC'

Elliptic Curve

ec_hsm = 'EC-HSM'

Elliptic Curve with a private key which is not exportable from the HSM

oct = 'oct'

Octet sequence (used to represent symmetric keys)

rsa = 'RSA'

//tools.ietf.org/html/rfc3447)

Type

RSA (https

rsa_hsm = 'RSA-HSM'

RSA with a private key which is not exportable from the HSM

class azure.keyvault.certificates.enums.KeyUsageType[source]

The supported types of key usages

crl_sign = 'cRLSign'
data_encipherment = 'dataEncipherment'
decipher_only = 'decipherOnly'
digital_signature = 'digitalSignature'
encipher_only = 'encipherOnly'
key_agreement = 'keyAgreement'
key_cert_sign = 'keyCertSign'
key_encipherment = 'keyEncipherment'
non_repudiation = 'nonRepudiation'
class azure.keyvault.certificates.enums.SecretContentType[source]

Content type of the secrets as specified in Certificate Policy

PEM = 'application/x-pem-file'
PKCS12 = 'application/x-pkcs12'

azure.keyvault.certificates.models module

class azure.keyvault.certificates.models.AdministratorDetails(first_name=None, last_name=None, email=None, phone=None)[source]

Details of the organization administrator of the certificate issuer.

Parameters
  • first_name (str) – First name of the issuer.

  • last_name (str) – Last name of the issuer.

  • email (str) – email of the issuer.

  • phone (str) – phone number of the issuer.

property email

str

Type

rtype

property first_name

str

Type

rtype

property last_name

str

Type

rtype

property phone

str

Type

rtype

class azure.keyvault.certificates.models.CertificateContact(email=None, name=None, phone=None)[source]

The contact information for the vault certificates.

Parameters
  • email (str) – Email address of a contact for the certificate.

  • name (str) – Name of a contact for the certificate.

  • phone (str) – phone number of a contact for the certificate.

property email

str

Type

rtype

property name

str

Type

rtype

property phone

str

Type

rtype

class azure.keyvault.certificates.models.CertificateError(code, message, inner_error)[source]

The key vault server error.

Parameters
  • code (str) – The error code.

  • message (str) – The error message.

  • inner_error (CertificateError) – The error object itself

property code

The error code.

Return type

str

property inner_error

The error itself

Return models.Error

property message

The error message.

Return type

str

class azure.keyvault.certificates.models.CertificateIssuer(properties=None, attributes=None, account_id=None, password=None, organization_id=None, admin_details=None)[source]

The issuer for a Key Vault certificate.

Parameters
  • properties (IssuerProperties) – The issuer’s properties

  • account_id (str) – The username / account name / account id.

  • password (str) – The password / secret / account key.

  • organization_id (str) – The ID of the organization.

  • admin_details (list[AdministratorDetails]) – Details of the organization administrator.

property account_id

The username/ account name/ account id.

Return type

str

property admin_details

Details of the organization administrator of this issuer.

Return type

list[AdministratorDetails]

property created_on

The datetime when the certificate is created.

Return type

datetime

property enabled

Whether the certificate is enabled or not.

Return type

bool

property id

str

Type

rtype

property name

str

Type

rtype

property organization_id

str

Type

rtype

property password

The password / secret / account key.

Return type

str

property properties

The properties of the issuer.

Return type

IssuerProperties

property updated_on

The datetime when the certificate was last updated.

Return type

datetime

class azure.keyvault.certificates.models.CertificateOperation(cert_operation_id=None, issuer_name=None, certificate_type=None, certificate_transparency=False, csr=None, cancellation_requested=False, status=None, status_details=None, error=None, target=None, request_id=None)[source]

A certificate operation is returned in case of asynchronous requests.

Parameters
  • cert_operation_id (str) – The certificate id.

  • issuer_name (str) – Name of the operation’s issuer object or reserved names; for example, ‘Self’ or ‘Unknown

  • certificate_type (str) – Type of certificate requested from the issuer provider.

  • certificate_transparency (bool) – Indicates if the certificate this operation is running for is published to certificate transparency logs.

  • csr (bytearray) – The certificate signing request (CSR) that is being used in the certificate operation.

  • cancellation_requested (bool) – Indicates if cancellation was requested on the certificate operation.

  • status (str) – Status of the certificate operation.

  • status_details (str) – The status details of the certificate operation

  • error (CertificateError) – Error encountered, if any, during the certificate operation.

  • target (str) – Location which contains the result of the certificate operation.

  • request_id (str) – Identifier for the certificate operation.

property cancellation_requested

Whether cancellation was requested on the certificate operation.

Return type

bool

property certificate_transparency

Whether certificates generated under this policy should be published to certificate transparency logs.

Return type

bool

property certificate_type

Type of certificate to be requested from the issuer provider.

Return type

str

property csr

The certificate signing request that is being used in this certificate operation.

Return type

bytes

property error

models.Error

Type

rtype

property id

str

Type

rtype

property issuer_name

The name of the issuer of the certificate.

Return type

str

property name

str

Type

rtype

property request_id

Identifier for the certificate operation.

Return type

str

property status

str

Type

rtype

property status_details

str

Type

rtype

property target

Location which contains the result of the certificate operation.

Return type

str

class azure.keyvault.certificates.models.CertificatePolicy(issuer_name, subject_name, exportable=None, key_type=None, key_size=None, reuse_key=None, curve=None, ekus=None, key_usage=None, content_type=None, validity_in_months=None, lifetime_actions=None, certificate_type=None, certificate_transparency=None, **kwargs)[source]

Management policy for a certificate.

Parameters
  • exportable (bool) – Indicates if the private key can be exported. For valid values, see KeyType.

  • key_type (str or KeyType) – The type of key pair to be used for the certificate.

  • key_size (int) – The key size in bits. For example: 2048, 3072, or 4096 for RSA.

  • reuse_key (bool) – Indicates if the same key pair will be used on certificate renewal.

  • curve (str or KeyCurveName) – Elliptic curve name. For valid values, see KeyCurveName.

  • ekus (list[str]) – The enhanced key usages.

  • key_usage (list[str or KeyUsageType]) – List of key usages.

  • content_type (SecretContentType or str) – The media type (MIME type) of the secret backing the certificate. For valid values, see SecretContentType.

  • subject_name (str) – The subject name of the certificate. Should be a valid X509 distinguished name.

  • validity_in_months (int) – The duration that the certificate is valid in months.

  • lifetime_actions (Iterable[LifetimeAction]) – Actions that will be performed by Key Vault over the lifetime of a certificate

  • issuer_name (str) – Name of the referenced issuer object or reserved names; for example, ‘Self’ or ‘Unknown”

  • certificate_type (str) – Type of certificate to be requested from the issuer provider.

  • certificate_transparency (bool) – Indicates if the certificates generated under this policy should be published to certificate transparency logs.

Keyword arguments
  • san_emails(Iterable[str]) - Subject alternative emails of the X509 object. Only one out

    of san_emails, san_dns_names, and san_upns may be set.

  • san_dns_names(Iterable[str]) - Subject alternative DNS names of the X509 object. Only one out

    of san_emails, san_dns_names, and san_upns may be set.

  • san_upns(Iterable[str]) - Subject alternative user principal names of the X509 object. Only one out

    of san_emails, san_dns_names, and san_upns may be set.

classmethod get_default()[source]
property certificate_transparency

Whether the certificates generated under this policy should be published to certificate transparency logs.

Return type

bool

property certificate_type

Type of certificate requested from the issuer provider.

Return type

str

property content_type

The media type (MIME type).

Return type

SecretContentType

property created_on

The datetime when the certificate is created.

Return type

datetime

property curve

Elliptic curve name.

Return type

KeyCurveName

property ekus

The enhanced key usage.

Return type

list[str]

property enabled

Whether the certificate is enabled or not.

Return type

bool

property expires_on

The datetime when the certificate expires.

Return type

datetime

property exportable

Whether the private key can be exported.

Return type

bool

property id

str

Type

rtype

property issuer_name

Name of the referenced issuer object or reserved names for the issuer of the certificate.

Return type

str

property key_size

The key size in bits.

Return type

int

property key_type

The type of key pair to be used for the certificate.

Return type

KeyType

property key_usage

List of key usages.

Return type

list[KeyUsageType]

property lifetime_actions

Actions and their triggers that will be performed by Key Vault over the lifetime of the certificate.

Return type

list[LifetimeAction]

property not_before

The datetime before which the certificate is not valid.

Return type

datetime

property recovery_level

The deletion recovery level currently in effect for the certificate.

Return type

DeletionRecoveryLevel

property reuse_key

Whether the same key pair will be used on certificate renewal.

Return type

bool

property san_dns_names

The subject alternative domain names.

Return type

list[str]

property san_emails

The subject alternative email addresses.

Return type

list[str]

property san_upns

The subject alternative user principal names.

Return type

list[str]

property subject_name

str

Type

rtype

property updated_on

The datetime when the certificate was last updated.

Return type

datetime

property validity_in_months

The duration that the certificate is valid for in months.

Return type

int

class azure.keyvault.certificates.models.CertificateProperties(**kwargs)[source]

Certificate properties consists of a certificates metadata.

property created_on

The datetime when the certificate is created.

Return type

datetime

property enabled

Whether the certificate is enabled or not.

Return type

bool

property expires_on

The datetime when the certificate expires.

Return type

datetime

property id

Certificate identifier.

Return type

str

property name

The name of the certificate.

Return type

str

property not_before

The datetime before which the certificate is not valid.

Return type

datetime

property recovery_level

The deletion recovery level currently in effect for the certificate.

Return type

models.DeletionRecoveryLevel

property tags

Application specific metadata in the form of key-value pairs.

Return type

str

property thumbprint

Thumbprint of the certificate.

Return type

bytes

property updated_on

The datetime when the certificate was last updated.

Return type

datetime

property vault_url

URL of the vault containing the certificate

Return type

str

property version

The version of the certificate

Return type

str

class azure.keyvault.certificates.models.DeletedCertificate(properties=None, policy=None, cer=None, **kwargs)[source]

A Deleted Certificate consisting of its previous id, attributes and its tags, as well as information on when it will be purged.

Parameters
  • policy (CertificatePolicy) – The management policy of the deleted certificate.

  • cer (bytearray) – CER contents of the X509 certificate.

  • deleted_date (datetime) – The time when the certificate was deleted, in UTC

  • recovery_id (str) – The url of the recovery object, used to identify and recover the deleted certificate.

  • scheduled_purge_date (datetime) – The time when the certificate is scheduled to be purged, in UTC

property cer

The CER contents of the certificate.

Return type

bytes

property deleted_date

The datetime that the certificate was deleted.

Return type

datetime

property id

Certificate identifier.

Return type

str

property key_id

str

Type

rtype

property name

The name of the certificate.

Return type

str

property policy

The management policy of the certificate.

Return type

CertificatePolicy

property properties

The certificate’s properties

Return type

CertificateAttributes

property recovery_id

The url of the recovery object, used to identify and recover the deleted certificate.

Return type

str

property scheduled_purge_date

The datetime when the certificate is scheduled to be purged.

Return type

str

property secret_id

str

Type

rtype

class azure.keyvault.certificates.models.IssuerProperties(provider=None, **kwargs)[source]

The properties of an issuer containing the issuer metadata.

Parameters

provider (str) – The issuer provider.

property id

str

Type

rtype

property name

str

Type

rtype

property provider

str

Type

rtype

property vault_url

URL of the vault containing the issuer

Return type

str

class azure.keyvault.certificates.models.KeyVaultCertificate(policy, properties=None, cer=None, **kwargs)[source]

Consists of a certificate and its attributes

Parameters
  • policy (CertificatePolicy) – The management policy for the certificate.

  • properties (CertificateProperties) – The certificate’s properties.

  • cer (bytearray) – CER contents of the X509 certificate.

property cer

The CER contents of the certificate.

Return type

bytes

property id

Certificate identifier.

Return type

str

property key_id

str

Type

rtype

property name

The name of the certificate.

Return type

str

property policy

The management policy of the certificate.

Return type

CertificatePolicy

property properties

The certificate’s properties

Return type

CertificateAttributes

property secret_id

str

Type

rtype

class azure.keyvault.certificates.models.LifetimeAction(action, lifetime_percentage=None, days_before_expiry=None)[source]

Action and its trigger that will be performed by certificate Vault over the lifetime of a certificate.

Parameters
  • action (str or CertificatePolicyAction) – The type of the action. For valid values, see CertificatePolicyAction

  • lifetime_percentage (int) – Percentage of lifetime at which to trigger. Value should be between 1 and 99.

  • days_before_expiry (int) – Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. I.e., if validity_in_months is 36, then value should be between 1 and 972 (36 * 27).

property action

The type of the action that will be executed. Valid values are “EmailContacts” and “AutoRenew”

Return type

str or CertificatePolicyAction

property days_before_expiry

Days before expiry to attempt renewal.

Return type

int

property lifetime_percentage

Percentage of lifetime at which to trigger.

Return type

int

Module contents

class azure.keyvault.certificates.CertificatePolicyAction[source]

The supported action types for the lifetime of a certificate

auto_renew = 'AutoRenew'
email_contacts = 'EmailContacts'
class azure.keyvault.certificates.AdministratorDetails(first_name=None, last_name=None, email=None, phone=None)[source]

Details of the organization administrator of the certificate issuer.

Parameters
  • first_name (str) – First name of the issuer.

  • last_name (str) – Last name of the issuer.

  • email (str) – email of the issuer.

  • phone (str) – phone number of the issuer.

property email

str

Type

rtype

property first_name

str

Type

rtype

property last_name

str

Type

rtype

property phone

str

Type

rtype

class azure.keyvault.certificates.CertificateClient(vault_url, credential, **kwargs)[source]

A high-level interface for managing a vault’s certificates.

Parameters
  • vault_url (str) – URL of the vault the client will access

  • credential – An object which can provide an access token for the vault, such as a credential from azure.identity

Keyword arguments
  • api_version: version of the Key Vault API to use. Defaults to the most recent.

  • transport: HttpTransport to use. Defaults to RequestsTransport.

Example

Create a new CertificateClient

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

# Create a CertificateClient using default Azure credentials
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url, credential)

backup_certificate(name, **kwargs)[source]

Backs up the specified certificate.

Requests that a backup of the specified certificate be downloaded to the client. All versions of the certificate will be downloaded. This operation requires the certificates/backup permission.

Parameters

name (str) – The name of the certificate.

Returns

the backup blob containing the backed up certificate.

Return type

bytes

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate backup

# backup certificate
certificate_backup = certificate_client.backup_certificate(name=cert_name)

# returns the raw bytes of the backed up certificate
print(certificate_backup)

begin_create_certificate(name, policy, **kwargs)[source]

Creates a new certificate.

If this is the first version, the certificate resource is created. This operation requires the certificates/create permission.

Parameters
  • name (str) – The name of the certificate.

  • policy (CertificatePolicy) – The management policy for the certificate.

Returns

An LROPoller for the create certificate operation. Waiting on the poller gives you the certificate if creation is successful, the CertificateOperation if not.

Return type

LROPoller[KeyVaultCertificate or CertificateOperation]

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Create a certificate
from azure.keyvault.certificates import CertificatePolicy, SecretContentType

# specify the certificate policy
cert_policy = CertificatePolicy(
    exportable=True,
    key_type="RSA",
    key_size=2048,
    reuse_key=False,
    content_type=SecretContentType.PKCS12,
    issuer_name="Self",
    subject_name="CN=*.microsoft.com",
    validity_in_months=24,
    san_dns_names=["sdk.azure-int.net"],
)

cert_name = "cert-name"
# create a certificate with optional arguments, returns a long running operation poller
certificate_operation_poller = certificate_client.begin_create_certificate(name=cert_name, policy=cert_policy)

# Here we are waiting for the certificate creation operation to be completed
certificate = certificate_operation_poller.result()

# You can get the final status of the certificate operation poller using .result()
print(certificate_operation_poller.result())

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

cancel_certificate_operation(name, **kwargs)[source]

Cancels a certificate operation.

Cancels a certificate creation operation that is already in progress. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The cancelled certificate operation

Return type

CertificateOperation

Raises

HttpResponseError

create_contacts(contacts, **kwargs)[source]

Sets the certificate contacts for the key vault.

Sets the certificate contacts for the key vault. This operation requires the certificates/managecontacts permission.

Parameters

contacts (list[CertificateContact]) – The contact list for the vault certificates.

Returns

The created list of contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Create contacts

# Create a list of the contacts that you want to set for this key vault.
contact_list = [
    CertificateContact(email="admin@contoso.com", name="John Doe", phone="1111111111"),
    CertificateContact(email="admin2@contoso.com", name="John Doe2", phone="2222222222"),
]

contacts = certificate_client.create_contacts(contacts=contact_list)
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

create_issuer(name, provider, **kwargs)[source]

Sets the specified certificate issuer.

The SetCertificateIssuer operation adds or updates the specified certificate issuer. This operation requires the certificates/setissuers permission.

Parameters
  • name (str) – The name of the issuer.

  • provider (str) – The issuer provider.

Returns

The created CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

Example

Create an issuer

# First we specify the AdministratorDetails for a issuer.
admin_details = [
    AdministratorDetails(first_name="John", last_name="Doe", email="admin@microsoft.com", phone="4255555555")
]

issuer = certificate_client.create_issuer(
    name="issuer1", provider="Test", account_id="keyvaultuser", admin_details=admin_details, enabled=True
)

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

delete_certificate(name, **kwargs)[source]

Deletes a certificate from the key vault.

Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Delete a certificate

# delete a certificate
deleted_certificate = certificate_client.delete_certificate(name=certificate.name)

print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_date)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

delete_certificate_operation(name, **kwargs)[source]

Deletes the creation operation for a specific certificate.

Deletes the creation operation for a specified certificate that is in the process of being created. The certificate is no longer created. This operation requires the certificates/update permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted CertificateOperation

Return type

CertificateOperation

Raises

HttpResponseError

delete_contacts(**kwargs)[source]

Deletes the certificate contacts for the key vault.

Deletes the certificate contacts for the key vault certificate. This operation requires the certificates/managecontacts permission.

Returns

Contacts

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Delete contacts

deleted_contacts = certificate_client.delete_contacts()

for deleted_contact in deleted_contacts:
    print(deleted_contact.name)
    print(deleted_contact.email)
    print(deleted_contact.phone)

delete_issuer(name, **kwargs)[source]

Deletes the specified certificate issuer.

Permanently removes the specified certificate issuer from the vault. This operation requires the certificates/manageissuers/deleteissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

CertificateIssuer

Return type

CertificateIssuer

Raises

HttpResponseError

Example

Delete an issuer

deleted_issuer = certificate_client.delete_issuer(name="issuer1")

print(deleted_issuer.name)
print(deleted_issuer.properties.provider)
print(deleted_issuer.account_id)

for admin_detail in deleted_issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

get_certificate(name, **kwargs)[source]

Gets a certificate with its management policy attached.

This operation requires the certificates/get permission. Does not accept the version of the certificate as a parameter. If you wish to specify version, use the get_certificate_version function and specify the desired version.

Parameters

name (str) – The name of the certificate in the given vault.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the certificate
certificate = certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

get_certificate_operation(name, **kwargs)[source]

Gets the creation operation of a certificate.

Gets the creation operation associated with a specified certificate. This operation requires the certificates/get permission.

Parameters

name (str) – The name of the certificate.

Returns

The created CertificateOperation

Return type

CertificateOperation

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

get_certificate_version(name, version, **kwargs)[source]

Gets a specific version of a certificate without returning its management policy.

If you wish to get the latest version of your certificate, or to get the certificate’s policy as well, use the get_certificate function.

Parameters
  • name (str) – The name of the certificate in the given vault.

  • version (str) – The version of the certificate.

Returns

An instance of KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the certificate
certificate = certificate_client.get_certificate(name=cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

get_contacts(**kwargs)[source]

Gets the certificate contacts for the key vault.

Returns the set of certificate contact resources in the specified key vault. This operation requires the certificates/managecontacts permission.

Returns

The certificate contacts for the key vault.

Return type

list[CertificateContact]

Raises

HttpResponseError

Example

Get contacts

contacts = certificate_client.get_contacts()

# Loop through the certificate contacts for this key vault.
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

get_deleted_certificate(name, **kwargs)[source]

Retrieves information about the specified deleted certificate.

Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level. This operation requires the certificates/ get permission.

Parameters

name (str) – The name of the certificate.

Returns

The deleted certificate

Return type

DeletedCertificate

Raises

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a deleted certificate

# get a deleted certificate (requires soft-delete enabled for the vault)
deleted_certificate = certificate_client.get_deleted_certificate(name=cert_name)
print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_date)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

get_issuer(name, **kwargs)[source]

Gets the specified certificate issuer.

Returns the specified certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

The specified certificate issuer.

Return type

CertificateIssuer

Raises

ResourceNotFoundError if the issuer doesn’t exist, HttpResponseError for other errors

Example

Get an issuer

issuer = certificate_client.get_issuer(name="issuer1")

print(issuer.name)
print(issuer.properties.provider)
print(issuer.account_id)

for admin_detail in issuer.admin_details:
    print(admin_detail.first_name)
    print(admin_detail.last_name)
    print(admin_detail.email)
    print(admin_detail.phone)

get_policy(certificate_name, **kwargs)[source]

Gets the policy for a certificate.

Returns the specified certificate policy resources in the key vault. This operation requires the certificates/get permission.

Parameters

certificate_name (str) – The name of the certificate in a given key vault.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

import_certificate(name, certificate_bytes, **kwargs)[source]

Imports a certificate into a specified key vault.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.

Parameters
  • name (str) – The name of the certificate.

  • certificate_bytes (bytes) – Bytes of the certificate object to import. This certificate needs to contain the private key.

Returns

The imported KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

  • password (str) - If the private key in the passed in certificate is encrypted, it is the password used for encryption.

  • policy (~azure.keyvault.certificates.models.CertificatePolicy) - The management policy for the certificate

list_certificate_versions(name, **kwargs)[source]

List the versions of a certificate.

The GetCertificateVersions operation returns the versions of a certificate in the key vault. This operation requires the certificates/list permission.

Parameters

name (str) – The name of the certificate.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Example

List all versions of a certificate

# get an iterator of a certificate's versions
certificate_versions = certificate_client.list_certificate_versions(name="certificate-name")

for certificate in certificate_versions:
    print(certificate.id)
    print(certificate.updated_on)
    print(certificate.version)

list_certificates(**kwargs)[source]

List certificates in the key vault.

The GetCertificates operation returns the set of certificates resources in the key vault. This operation requires the certificates/list permission.

Returns

An iterator like instance of CertificateProperties

Return type

ItemPaged[CertificateProperties]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely deleted.

Example

List all certificates

# get an iterator of certificates
certificates = certificate_client.list_certificates()

for certificate in certificates:
    print(certificate.id)
    print(certificate.created_on)
    print(certificate.name)
    print(certificate.updated_on)
    print(certificate.enabled)

list_deleted_certificates(**kwargs)[source]

Lists the deleted certificates in the specified vault currently available for recovery.

Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.

Returns

An iterator like instance of DeletedCertificate

Return type

ItemPaged[DeletedCertificate]

Raises

HttpResponseError

Keyword arguments
  • include_pending (bool) - Specifies whether to include certificates which are not completely deleted.

Example

List all the deleted certificates

# get an iterator of deleted certificates (requires soft-delete enabled for the vault)
deleted_certificates = certificate_client.list_deleted_certificates()

for certificate in deleted_certificates:
    print(certificate.id)
    print(certificate.name)
    print(certificate.deleted_date)
    print(certificate.scheduled_purge_date)
    print(certificate.deleted_date)

list_issuers(**kwargs)[source]

List certificate issuers for the key vault.

Returns the set of certificate issuer resources in the key vault. This operation requires the certificates/manageissuers/getissuers permission.

Returns

An iterator like instance of Issuers

Return type

ItemPaged[CertificateIssuer]

Raises

HttpResponseError

Example

List issuers of a vault

issuers = certificate_client.list_issuers()

for issuer in issuers:
    print(issuer.name)
    print(issuer.provider)

merge_certificate(name, x509_certificates, **kwargs)[source]

Merges a certificate or a certificate chain with a key pair existing on the server.

Performs the merging of a certificate or certificate chain with a key pair currently available in the service. This operation requires the certificates/create permission. Make sure when creating the certificate to merge using begin_create_certificate that you set its issuer to ‘Unknown’. This way Key Vault knows that the certificate will not be signed by an issuer known to it.

Parameters
  • name (str) – The name of the certificate

  • x509_certificates (list[bytearray]) – The certificate or the certificate chain to merge.

Returns

The merged certificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

purge_deleted_certificate(name, **kwargs)[source]

Permanently deletes the specified deleted certificate.

Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specified ‘Purgeable’. This operation requires the certificate/purge permission.

Parameters

name (str) – The name of the certificate

Returns

None

Return type

None

Raises

HttpResponseError

recover_deleted_certificate(name, **kwargs)[source]

Recovers the deleted certificate back to its current version under /certificates.

Performs the reversal of the Delete operation. THe operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate’s attributes). This operation requires the certificates/recover permission.

Parameters

name (str) – The name of the deleted certificate

Returns

The recovered certificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Recover a deleted certificate

# recover a deleted certificate to its latest version (requires soft-delete enabled for the vault)
recovered_certificate = certificate_client.recover_deleted_certificate(name=cert_name)

print(recovered_certificate.id)
print(recovered_certificate.name)

restore_certificate_backup(backup, **kwargs)[source]

Restores a backed up certificate to a vault.

Restores a backed up certificate, and all its versions, to a vault. this operation requires the certificates/restore permission.

Parameters

backup (bytes) – The backup blob associated with a certificate bundle.

Returns

The restored KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Example

Restore a certificate backup

# restore a certificate backup
restored_certificate = certificate_client.restore_certificate_backup(backup=certificate_backup)

print(restored_certificate.id)
print(restored_certificate.name)
print(restored_certificate.properties.version)

update_certificate_properties(name, version=None, **kwargs)[source]

Updates the specified attributes associated with the given certificate.

The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate’s attributes. This operation requires the certificates/update permission.

Parameters
  • name (str) – The name of the certificate in the given key vault.

  • version (str) – The version of the certificate.

Returns

The updated KeyVaultCertificate

Return type

KeyVaultCertificate

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Update a certificate’s attributes

# update attributes of an existing certificate
tags = {"foo": "updated tag"}
updated_certificate = certificate_client.update_certificate_properties(name=certificate.name, tags=tags)

print(updated_certificate.properties.version)
print(updated_certificate.properties.updated_on)
print(updated_certificate.properties.tags)

update_issuer(name, **kwargs)[source]

Updates the specified certificate issuer.

Performs an update on the specified certificate issuer entity. This operation requires the certificates/setissuers permission.

Parameters

name (str) – The name of the issuer.

Returns

The updated issuer

Return type

CertificateIssuer

Raises

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.

  • provider (str) - The issuer provider.

  • account_id (str) - The user name/account name/account id.

  • password (str) - The password/secret/account key.

  • organization_id (str) - Id of the organization.

  • admin_details (list[~azure.keyvault.certificates.models.AdministratorDetails]) - Details of the organization administrators of the certificate issuer.

update_policy(certificate_name, policy, **kwargs)[source]

Updates the policy for a certificate.

Set specified members in the certificate policy. Leaves others as null. This operation requires the certificates/update permission.

Parameters
  • certificate_name (str) – The name of the certificate in the given vault.

  • policy (CertificatePolicy) – The policy for the certificate.

Returns

The certificate policy

Return type

CertificatePolicy

Raises

HttpResponseError

property vault_url
class azure.keyvault.certificates.CertificatePolicy(issuer_name, subject_name, exportable=None, key_type=None, key_size=None, reuse_key=None, curve=None, ekus=None, key_usage=None, content_type=None, validity_in_months=None, lifetime_actions=None, certificate_type=None, certificate_transparency=None, **kwargs)[source]

Management policy for a certificate.

Parameters
  • exportable (bool) – Indicates if the private key can be exported. For valid values, see KeyType.

  • key_type (str or KeyType) – The type of key pair to be used for the certificate.

  • key_size (int) – The key size in bits. For example: 2048, 3072, or 4096 for RSA.

  • reuse_key (bool) – Indicates if the same key pair will be used on certificate renewal.

  • curve (str or KeyCurveName) – Elliptic curve name. For valid values, see KeyCurveName.

  • ekus (list[str]) – The enhanced key usages.

  • key_usage (list[str or KeyUsageType]) – List of key usages.

  • content_type (SecretContentType or str) – The media type (MIME type) of the secret backing the certificate. For valid values, see SecretContentType.

  • subject_name (str) – The subject name of the certificate. Should be a valid X509 distinguished name.

  • validity_in_months (int) – The duration that the certificate is valid in months.

  • lifetime_actions (Iterable[LifetimeAction]) – Actions that will be performed by Key Vault over the lifetime of a certificate

  • issuer_name (str) – Name of the referenced issuer object or reserved names; for example, ‘Self’ or ‘Unknown”

  • certificate_type (str) – Type of certificate to be requested from the issuer provider.

  • certificate_transparency (bool) – Indicates if the certificates generated under this policy should be published to certificate transparency logs.

Keyword arguments
  • san_emails(Iterable[str]) - Subject alternative emails of the X509 object. Only one out

    of san_emails, san_dns_names, and san_upns may be set.

  • san_dns_names(Iterable[str]) - Subject alternative DNS names of the X509 object. Only one out

    of san_emails, san_dns_names, and san_upns may be set.

  • san_upns(Iterable[str]) - Subject alternative user principal names of the X509 object. Only one out

    of san_emails, san_dns_names, and san_upns may be set.

classmethod get_default()[source]
property certificate_transparency

Whether the certificates generated under this policy should be published to certificate transparency logs.

Return type

bool

property certificate_type

Type of certificate requested from the issuer provider.

Return type

str

property content_type

The media type (MIME type).

Return type

SecretContentType

property created_on

The datetime when the certificate is created.

Return type

datetime

property curve

Elliptic curve name.

Return type

KeyCurveName

property ekus

The enhanced key usage.

Return type

list[str]

property enabled

Whether the certificate is enabled or not.

Return type

bool

property expires_on

The datetime when the certificate expires.

Return type

datetime

property exportable

Whether the private key can be exported.

Return type

bool

property id

str

Type

rtype

property issuer_name

Name of the referenced issuer object or reserved names for the issuer of the certificate.

Return type

str

property key_size

The key size in bits.

Return type

int

property key_type

The type of key pair to be used for the certificate.

Return type

KeyType

property key_usage

List of key usages.

Return type

list[KeyUsageType]

property lifetime_actions

Actions and their triggers that will be performed by Key Vault over the lifetime of the certificate.

Return type

list[LifetimeAction]

property not_before

The datetime before which the certificate is not valid.

Return type

datetime

property recovery_level

The deletion recovery level currently in effect for the certificate.

Return type

DeletionRecoveryLevel

property reuse_key

Whether the same key pair will be used on certificate renewal.

Return type

bool

property san_dns_names

The subject alternative domain names.

Return type

list[str]

property san_emails

The subject alternative email addresses.

Return type

list[str]

property san_upns

The subject alternative user principal names.

Return type

list[str]

property subject_name

str

Type

rtype

property updated_on

The datetime when the certificate was last updated.

Return type

datetime

property validity_in_months

The duration that the certificate is valid for in months.

Return type

int

class azure.keyvault.certificates.CertificateContact(email=None, name=None, phone=None)[source]

The contact information for the vault certificates.

Parameters
  • email (str) – Email address of a contact for the certificate.

  • name (str) – Name of a contact for the certificate.

  • phone (str) – phone number of a contact for the certificate.

property email

str

Type

rtype

property name

str

Type

rtype

property phone

str

Type

rtype

class azure.keyvault.certificates.KeyCurveName[source]

Supported elliptic curves

p_256 = 'P-256'

The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.

p_256_k = 'P-256K'

The SECG SECP256K1 elliptic curve.

p_384 = 'P-384'

The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.

p_521 = 'P-521'

The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.

class azure.keyvault.certificates.KeyType[source]

Supported key types

ec = 'EC'

Elliptic Curve

ec_hsm = 'EC-HSM'

Elliptic Curve with a private key which is not exportable from the HSM

oct = 'oct'

Octet sequence (used to represent symmetric keys)

rsa = 'RSA'

//tools.ietf.org/html/rfc3447)

Type

RSA (https

rsa_hsm = 'RSA-HSM'

RSA with a private key which is not exportable from the HSM

class azure.keyvault.certificates.KeyUsageType[source]

The supported types of key usages

crl_sign = 'cRLSign'
data_encipherment = 'dataEncipherment'
decipher_only = 'decipherOnly'
digital_signature = 'digitalSignature'
encipher_only = 'encipherOnly'
key_agreement = 'keyAgreement'
key_cert_sign = 'keyCertSign'
key_encipherment = 'keyEncipherment'
non_repudiation = 'nonRepudiation'
class azure.keyvault.certificates.LifetimeAction(action, lifetime_percentage=None, days_before_expiry=None)[source]

Action and its trigger that will be performed by certificate Vault over the lifetime of a certificate.

Parameters
  • action (str or CertificatePolicyAction) – The type of the action. For valid values, see CertificatePolicyAction

  • lifetime_percentage (int) – Percentage of lifetime at which to trigger. Value should be between 1 and 99.

  • days_before_expiry (int) – Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. I.e., if validity_in_months is 36, then value should be between 1 and 972 (36 * 27).

property action

The type of the action that will be executed. Valid values are “EmailContacts” and “AutoRenew”

Return type

str or CertificatePolicyAction

property days_before_expiry

Days before expiry to attempt renewal.

Return type

int

property lifetime_percentage

Percentage of lifetime at which to trigger.

Return type

int

class azure.keyvault.certificates.SecretContentType[source]

Content type of the secrets as specified in Certificate Policy

PEM = 'application/x-pem-file'
PKCS12 = 'application/x-pkcs12'