azure.keyvault.certificates package¶
-
class
azure.keyvault.certificates.
AdministratorContact
(first_name: Optional[str] = None, last_name: Optional[str] = None, email: Optional[str] = None, phone: Optional[str] = None)[source]¶ Details of the organization administrator of the certificate issuer.
- Parameters
-
property
email
¶ str or None
- Type
rtype
-
property
first_name
¶ str or None
- Type
rtype
-
property
last_name
¶ str or None
- Type
rtype
-
property
phone
¶ str or None
- Type
rtype
-
class
azure.keyvault.certificates.
ApiVersion
(value)[source]¶ Key Vault API versions supported by this package
-
V2016_10_01
= '2016-10-01'¶
-
V7_0
= '7.0'¶
-
V7_1
= '7.1'¶
-
V7_2
= '7.2'¶
-
V7_3_PREVIEW
= '7.3-preview'¶ this is the default version
-
-
class
azure.keyvault.certificates.
CertificateClient
(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]¶ A high-level interface for managing a vault’s certificates.
- Parameters
vault_url (str) – URL of the vault the client will access. This is also called the vault’s “DNS Name”.
credential – An object which can provide an access token for the vault, such as a credential from
azure.identity
- Keyword Arguments
api_version (ApiVersion) – version of the Key Vault API to use. Defaults to the most recent.
transport (HttpTransport) – transport to use. Defaults to
RequestsTransport
.
Example
from azure.identity import DefaultAzureCredential from azure.keyvault.certificates import CertificateClient # Create a CertificateClient using default Azure credentials credential = DefaultAzureCredential() certificate_client = CertificateClient(vault_url=vault_url, credential=credential)
-
backup_certificate
(certificate_name: str, **kwargs: Any) → bytes[source]¶ Back up a certificate in a protected form useable only by Azure Key Vault.
Requires certificates/backup permission. This is intended to allow copying a certificate from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.
- Parameters
certificate_name (str) – The name of the certificate.
- Returns
The backup blob containing the backed up certificate.
- Return type
- Raises
ResourceNotFoundError
if the certificate doesn’t exist,HttpResponseError
for other errors
Example
# backup certificate certificate_backup = certificate_client.backup_certificate(cert_name) # returns the raw bytes of the backed up certificate print(certificate_backup)
-
begin_create_certificate
(certificate_name: str, policy: CertificatePolicy, **kwargs: Any) → LROPoller[source]¶ Creates a new certificate.
If this is the first version, the certificate resource is created. This operation requires the certificates/create permission. The poller requires the certificates/get permission, otherwise raises an
HttpResponseError
- Parameters
certificate_name (str) – The name of the certificate.
policy (CertificatePolicy) – The management policy for the certificate. Either subject or one of the subject alternative name properties are required.
- Keyword Arguments
- Returns
An LROPoller for the create certificate operation. Waiting on the poller gives you the certificate if creation is successful, the CertificateOperation if not.
- Return type
- Raises
ValueError
if the certificate policy is invalid,HttpResponseError
for other errors.
- Keyword arguments
enabled (bool) - Determines whether the object is enabled.
tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.
Example
from azure.keyvault.certificates import CertificatePolicy, CertificateContentType, WellKnownIssuerNames # specify the certificate policy cert_policy = CertificatePolicy( issuer_name=WellKnownIssuerNames.self, subject="CN=*.microsoft.com", san_dns_names=["sdk.azure-int.net"], exportable=True, key_type="RSA", key_size=2048, reuse_key=False, content_type=CertificateContentType.pkcs12, validity_in_months=24, ) # create a certificate with optional arguments, returns a long running operation poller certificate_operation_poller = certificate_client.begin_create_certificate( certificate_name=cert_name, policy=cert_policy ) # Here we are waiting for the certificate creation operation to be completed certificate = certificate_operation_poller.result() # You can get the final status of the certificate operation poller using .result() print(certificate_operation_poller.result()) print(certificate.id) print(certificate.name) print(certificate.policy.issuer_name)
-
begin_delete_certificate
(certificate_name: str, **kwargs: Any) → LROPoller[source]¶ Delete all versions of a certificate. Requires certificates/delete permission.
When this method returns Key Vault has begun deleting the certificate. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
- Parameters
certificate_name (str) – The name of the certificate to delete.
- Returns
A poller for the delete certificate operation. The poller’s result method returns the
DeletedCertificate
without waiting for deletion to complete. If the vault has soft-delete enabled and you want to immediately, permanently delete the certificate withpurge_deleted_certificate()
, call the poller’s wait method first. It will block until the deletion is complete. The wait method requires certificates/get permission.- Return type
- Raises
ResourceNotFoundError
if the certificate doesn’t exist,HttpResponseError
for other errors
Example
# delete a certificate deleted_certificate = certificate_client.begin_delete_certificate(certificate.name).result() print(deleted_certificate.name) # if the vault has soft-delete enabled, the certificate's deleted date, # scheduled purge date, and recovery id are available print(deleted_certificate.deleted_on) print(deleted_certificate.scheduled_purge_date) print(deleted_certificate.recovery_id)
-
begin_recover_deleted_certificate
(certificate_name: str, **kwargs: Any) → LROPoller[source]¶ Recover a deleted certificate to its latest version. Possible only in a vault with soft-delete enabled.
Requires certificates/recover permission.
When this method returns Key Vault has begun recovering the certificate. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered certificate in another operation immediately.
- Parameters
certificate_name (str) – The name of the deleted certificate to recover
- Returns
A poller for the recovery operation. The poller’s result method returns the recovered
KeyVaultCertificate
without waiting for recovery to complete. If you want to use the recovered certificate immediately, call the poller’s wait method, which blocks until the certificate is ready to use. The wait method requires certificate/get permission.- Return type
- Raises
Example
# recover a deleted certificate to its latest version (requires soft-delete enabled for the vault) recovered_certificate = certificate_client.begin_recover_deleted_certificate(cert_name).result() print(recovered_certificate.id) print(recovered_certificate.name)
-
cancel_certificate_operation
(certificate_name: str, **kwargs: Any) → CertificateOperation[source]¶ Cancels an in-progress certificate operation. Requires the certificates/update permission.
- Parameters
certificate_name (str) – The name of the certificate.
- Returns
The cancelled certificate operation
- Return type
- Raises
-
close
() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
create_issuer
(issuer_name: str, provider: str, **kwargs: Any) → CertificateIssuer[source]¶ Sets the specified certificate issuer. Requires certificates/setissuers permission.
- Parameters
- Keyword Arguments
enabled (bool) – Whether the issuer is enabled for use.
account_id (str) – The user name/account name/account id.
password (str) – The password/secret/account key.
organization_id (str) – Id of the organization
admin_contacts (list[AdministratorContact]) – Contact details of the organization administrators of the certificate issuer.
- Returns
The created CertificateIssuer
- Return type
- Raises
Example
from azure.keyvault.certificates import AdministratorContact # First we specify the AdministratorContact for a issuer. admin_contacts = [ AdministratorContact(first_name="John", last_name="Doe", email="admin@microsoft.com", phone="4255555555") ] issuer = certificate_client.create_issuer( issuer_name="issuer1", provider="Test", account_id="keyvaultuser", admin_contacts=admin_contacts, enabled=True, ) print(issuer.name) print(issuer.provider) print(issuer.account_id) for contact in issuer.admin_contacts: print(contact.first_name) print(contact.last_name) print(contact.email) print(contact.phone)
-
delete_certificate_operation
(certificate_name: str, **kwargs: Any) → CertificateOperation[source]¶ Deletes and stops the creation operation for a specific certificate.
Requires the certificates/update permission.
- Parameters
certificate_name (str) – The name of the certificate.
- Returns
The deleted CertificateOperation
- Return type
- Raises
-
delete_contacts
(**kwargs: Any) → List[CertificateContact][source]¶ Deletes the certificate contacts for the key vault. Requires the certificates/managecontacts permission.
- Returns
The deleted contacts for the key vault.
- Return type
- Raises
Example
deleted_contacts = certificate_client.delete_contacts() for deleted_contact in deleted_contacts: print(deleted_contact.name) print(deleted_contact.email) print(deleted_contact.phone)
-
delete_issuer
(issuer_name: str, **kwargs: Any) → CertificateIssuer[source]¶ Deletes the specified certificate issuer.
Requires certificates/manageissuers/deleteissuers permission.
- Parameters
issuer_name (str) – The name of the issuer.
- Returns
CertificateIssuer
- Return type
- Raises
Example
deleted_issuer = certificate_client.delete_issuer("issuer1") print(deleted_issuer.name) print(deleted_issuer.provider) print(deleted_issuer.account_id) for contact in deleted_issuer.admin_contacts: print(contact.first_name) print(contact.last_name) print(contact.email) print(contact.phone)
-
get_certificate
(certificate_name: str, **kwargs: Any) → KeyVaultCertificate[source]¶ Gets a certificate with its management policy attached. Requires certificates/get permission.
Does not accept the version of the certificate as a parameter. To get a specific version of the certificate, call
get_certificate_version()
.- Parameters
certificate_name (str) – The name of the certificate in the given vault.
- Returns
An instance of KeyVaultCertificate
- Return type
- Raises
ResourceNotFoundError
if the certificate doesn’t exist,HttpResponseError
for other errors
Example
# get the certificate certificate = certificate_client.get_certificate(cert_name) print(certificate.id) print(certificate.name) print(certificate.policy.issuer_name)
-
get_certificate_operation
(certificate_name: str, **kwargs: Any) → CertificateOperation[source]¶ Gets the creation operation of a certificate. Requires the certificates/get permission.
- Parameters
certificate_name (str) – The name of the certificate.
- Returns
The created CertificateOperation
- Return type
- Raises
ResourceNotFoundError
if the certificate doesn’t exist,HttpResponseError
for other errors
-
get_certificate_policy
(certificate_name: str, **kwargs: Any) → CertificatePolicy[source]¶ Gets the policy for a certificate. Requires certificates/get permission.
Returns the specified certificate policy resources in the key vault.
- Parameters
certificate_name (str) – The name of the certificate in a given key vault.
- Returns
The certificate policy
- Return type
- Raises
-
get_certificate_version
(certificate_name: str, version: str, **kwargs: Any) → KeyVaultCertificate[source]¶ Gets a specific version of a certificate without returning its management policy.
Requires certificates/get permission. To get the latest version of the certificate, or to get the certificate’s policy as well, call
get_certificate()
.- Parameters
- Returns
An instance of KeyVaultCertificate
- Return type
- Raises
ResourceNotFoundError
if the certificate doesn’t exist,HttpResponseError
for other errors
Example
certificate = certificate_client.get_certificate_version(cert_name, version) print(certificate.id) print(certificate.properties.version)
-
get_contacts
(**kwargs: Any) → List[CertificateContact][source]¶ Gets the certificate contacts for the key vault. Requires the certificates/managecontacts permission.
- Returns
The certificate contacts for the key vault.
- Return type
- Raises
Example
contacts = certificate_client.get_contacts() # Loop through the certificate contacts for this key vault. for contact in contacts: print(contact.name) print(contact.email) print(contact.phone)
-
get_deleted_certificate
(certificate_name: str, **kwargs: Any) → DeletedCertificate[source]¶ Get a deleted certificate. Possible only in a vault with soft-delete enabled.
Requires certificates/get permission. Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level.
- Parameters
certificate_name (str) – The name of the certificate.
- Returns
The deleted certificate
- Return type
- Raises
ResourceNotFoundError
if the certificate doesn’t exist,HttpResponseError
for other errors
Example
# get a deleted certificate (requires soft-delete enabled for the vault) deleted_certificate = certificate_client.get_deleted_certificate(cert_name) print(deleted_certificate.name) # if the vault has soft-delete enabled, the certificate's deleted date, # scheduled purge date, and recovery id are available print(deleted_certificate.deleted_on) print(deleted_certificate.scheduled_purge_date) print(deleted_certificate.recovery_id)
-
get_issuer
(issuer_name: str, **kwargs: Any) → CertificateIssuer[source]¶ Gets the specified certificate issuer. Requires certificates/manageissuers/getissuers permission.
- Parameters
issuer_name (str) – The name of the issuer.
- Returns
The specified certificate issuer.
- Return type
- Raises
ResourceNotFoundError
if the issuer doesn’t exist,HttpResponseError
for other errors
Example
issuer = certificate_client.get_issuer("issuer1") print(issuer.name) print(issuer.provider) print(issuer.account_id) for contact in issuer.admin_contacts: print(contact.first_name) print(contact.last_name) print(contact.email) print(contact.phone)
-
import_certificate
(certificate_name: str, certificate_bytes: bytes, **kwargs: Any) → KeyVaultCertificate[source]¶ Import a certificate created externally. Requires certificates/import permission.
Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates, and you must provide a
policy
withcontent_type
ofpem
.- Parameters
- Keyword Arguments
enabled (bool) – Whether the certificate is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
password (str) – If the private key in the passed in certificate is encrypted, it is the password used for encryption.
policy (CertificatePolicy) – The management policy for the certificate. Required if importing a PEM-format certificate, with
content_type
set topem
.
- Returns
The imported KeyVaultCertificate
- Return type
- Raises
-
list_deleted_certificates
(**kwargs: Any) → ItemPaged[DeletedCertificate][source]¶ Lists the currently-recoverable deleted certificates. Possible only if vault is soft-delete enabled.
Requires certificates/get/list permission. Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information.
- Keyword Arguments
include_pending (bool) – Specifies whether to include certificates which are not completely deleted.
- Returns
An iterator like instance of DeletedCertificate
- Return type
- Raises
Example
# get an iterator of deleted certificates (requires soft-delete enabled for the vault) deleted_certificates = certificate_client.list_deleted_certificates() for certificate in deleted_certificates: print(certificate.id) print(certificate.name) print(certificate.deleted_on) print(certificate.scheduled_purge_date) print(certificate.deleted_on)
-
list_properties_of_certificate_versions
(certificate_name: str, **kwargs: Any) → ItemPaged[CertificateProperties][source]¶ List the identifiers and properties of a certificate’s versions.
Requires certificates/list permission.
- Parameters
certificate_name (str) – The name of the certificate.
- Returns
An iterator like instance of CertificateProperties
- Return type
- Raises
Example
# get an iterator of a certificate's versions certificate_versions = certificate_client.list_properties_of_certificate_versions(certificate_name) for certificate in certificate_versions: print(certificate.id) print(certificate.updated_on) print(certificate.version)
-
list_properties_of_certificates
(**kwargs: Any) → ItemPaged[CertificateProperties][source]¶ List identifiers and properties of all certificates in the vault.
Requires certificates/list permission.
- Keyword Arguments
include_pending (bool) – Specifies whether to include certificates which are not completely provisioned.
- Returns
An iterator like instance of CertificateProperties
- Return type
- Raises
Example
# get an iterator of certificates certificates = certificate_client.list_properties_of_certificates() for certificate in certificates: print(certificate.id) print(certificate.created_on) print(certificate.name) print(certificate.updated_on) print(certificate.enabled)
-
list_properties_of_issuers
(**kwargs: Any) → ItemPaged[IssuerProperties][source]¶ Lists properties of the certificate issuers for the key vault.
Requires the certificates/manageissuers/getissuers permission.
- Returns
An iterator like instance of Issuers
- Return type
- Raises
Example
issuers = certificate_client.list_properties_of_issuers() for issuer in issuers: print(issuer.name) print(issuer.provider)
-
merge_certificate
(certificate_name: str, x509_certificates: Iterable[bytes], **kwargs: Any) → KeyVaultCertificate[source]¶ Merges a certificate or a certificate chain with a key pair existing on the server.
Requires the certificates/create permission. Performs the merging of a certificate or certificate chain with a key pair currently available in the service. Make sure when creating the certificate to merge using
begin_create_certificate()
that you set its issuer to ‘Unknown’. This way Key Vault knows that the certificate will not be signed by an issuer known to it.- Parameters
- Keyword Arguments
- Returns
The merged certificate
- Return type
- Raises
-
purge_deleted_certificate
(certificate_name: str, **kwargs: Any) → None[source]¶ Permanently deletes a deleted certificate. Possible only in vaults with soft-delete enabled.
Requires certificates/purge permission.
Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the
recovery_level
does not specify ‘Purgeable’. This method is only necessary for purging a certificate before itsscheduled_purge_date
.- Parameters
certificate_name (str) – The name of the certificate
- Returns
None
- Return type
- Raises
-
restore_certificate_backup
(backup: bytes, **kwargs: Any) → KeyVaultCertificate[source]¶ Restore a certificate backup to the vault. Requires certificates/restore permission.
This restores all versions of the certificate, with its name, attributes, and access control policies. If the certificate’s name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.
- Parameters
backup (bytes) – The backup blob associated with a certificate bundle.
- Returns
The restored KeyVaultCertificate
- Return type
- Raises
Example
# restore a certificate backup restored_certificate = certificate_client.restore_certificate_backup(certificate_backup) print(restored_certificate.id) print(restored_certificate.name) print(restored_certificate.properties.version)
-
set_contacts
(contacts: Iterable[CertificateContact], **kwargs: Any) → List[CertificateContact][source]¶ Sets the certificate contacts for the key vault. Requires certificates/managecontacts permission.
- Parameters
contacts (list[CertificateContact]) – The contact list for the vault certificates.
- Returns
The created list of contacts
- Return type
- Raises
Example
from azure.keyvault.certificates import CertificateContact # Create a list of the contacts that you want to set for this key vault. contact_list = [ CertificateContact(email="admin@contoso.com", name="John Doe", phone="1111111111"), CertificateContact(email="admin2@contoso.com", name="John Doe2", phone="2222222222"), ] contacts = certificate_client.set_contacts(contact_list) for contact in contacts: print(contact.name) print(contact.email) print(contact.phone)
-
update_certificate_policy
(certificate_name: str, policy: CertificatePolicy, **kwargs: Any) → CertificatePolicy[source]¶ Updates the policy for a certificate. Requires certificiates/update permission.
Set specified members in the certificate policy. Leaves others as null.
- Parameters
certificate_name (str) – The name of the certificate in the given vault.
policy (CertificatePolicy) – The policy for the certificate.
- Returns
The certificate policy
- Return type
- Raises
-
update_certificate_properties
(certificate_name: str, version: Optional[str] = None, **kwargs: Any) → KeyVaultCertificate[source]¶ Change a certificate’s properties. Requires certificates/update permission.
- Parameters
- Keyword Arguments
- Returns
The updated KeyVaultCertificate
- Return type
- Raises
Example
# update attributes of an existing certificate tags = {"foo": "updated tag"} updated_certificate = certificate_client.update_certificate_properties( certificate_name=certificate.name, tags=tags ) print(updated_certificate.properties.version) print(updated_certificate.properties.updated_on) print(updated_certificate.properties.tags)
-
update_issuer
(issuer_name: str, **kwargs: Any) → CertificateIssuer[source]¶ Updates the specified certificate issuer. Requires certificates/setissuers permission.
- Parameters
issuer_name (str) – The name of the issuer.
- Keyword Arguments
enabled (bool) – Whether the issuer is enabled for use.
provider (str) – The issuer provider
account_id (str) – The user name/account name/account id.
password (str) – The password/secret/account key.
organization_id (str) – Id of the organization
admin_contacts (list[AdministratorContact]) – Contact details of the organization administrators of the certificate issuer
- Returns
The updated issuer
- Return type
- Raises
-
property
vault_url
¶
-
class
azure.keyvault.certificates.
CertificateContact
(email: Optional[str] = None, name: Optional[str] = None, phone: Optional[str] = None)[source]¶ The contact information for the vault certificates.
- Parameters
-
property
email
¶ str or None
- Type
rtype
-
property
name
¶ str or None
- Type
rtype
-
property
phone
¶ str or None
- Type
rtype
-
class
azure.keyvault.certificates.
CertificateContentType
(value)[source]¶ Content type of the secrets as specified in Certificate Policy
-
pem
= 'application/x-pem-file'¶
-
pkcs12
= 'application/x-pkcs12'¶
-
-
class
azure.keyvault.certificates.
CertificateIssuer
(provider: Optional[str], attributes: Optional[models.IssuerAttributes] = None, account_id: Optional[str] = None, password: Optional[str] = None, organization_id: Optional[str] = None, admin_contacts: Optional[List[AdministratorContact]] = None, **kwargs: Any)[source]¶ The issuer for a Key Vault certificate.
- Parameters
-
property
admin_contacts
¶ Contact details of the organization administrator of this issuer.
- Return type
-
property
id
¶ str
- Type
rtype
-
property
name
¶ str or None
- Type
rtype
-
property
organization_id
¶ str or None
- Type
rtype
-
class
azure.keyvault.certificates.
CertificateOperation
(cert_operation_id: Optional[str] = None, issuer_name: Optional[Union[str, WellKnownIssuerNames]] = None, certificate_type: Optional[str] = None, certificate_transparency: Optional[bool] = False, csr: Optional[bytes] = None, cancellation_requested: Optional[bool] = False, status: Optional[str] = None, status_details: Optional[str] = None, error: Optional[CertificateOperationError] = None, target: Optional[str] = None, request_id: Optional[str] = None)[source]¶ A certificate operation is returned in case of long running requests.
- Parameters
cert_operation_id (str) – The certificate id.
issuer_name (str or WellKnownIssuerNames) – Name of the operation’s issuer object or reserved names.
certificate_type (str) – Type of certificate requested from the issuer provider.
certificate_transparency (bool) – Indicates if the certificate this operation is running for is published to certificate transparency logs.
csr (bytearray) – The certificate signing request (CSR) that is being used in the certificate operation.
cancellation_requested (bool) – Indicates if cancellation was requested on the certificate operation.
status (str) – Status of the certificate operation.
status_details (str) – The status details of the certificate operation
error (CertificateOperationError) – Error encountered, if any, during the certificate operation.
target (str) – Location which contains the result of the certificate operation.
request_id (str) – Identifier for the certificate operation.
-
property
cancellation_requested
¶ Whether cancellation was requested on the certificate operation.
-
property
certificate_transparency
¶ Whether certificates generated under this policy should be published to certificate transparency logs.
-
property
certificate_type
¶ Type of certificate to be requested from the issuer provider.
-
property
csr
¶ The certificate signing request that is being used in this certificate operation.
-
property
error
¶ ~azure.keyvault.certificates.CertificateOperationError or None
- Type
rtype
-
property
id
¶ str or None
- Type
rtype
-
property
issuer_name
¶ The name of the issuer of the certificate.
- Return type
str or WellKnownIssuerNames or None
-
property
name
¶ str or None
- Type
rtype
-
property
status
¶ str or None
- Type
rtype
-
property
status_details
¶ str or None
- Type
rtype
-
property
target
¶ Location which contains the result of the certificate operation.
-
class
azure.keyvault.certificates.
CertificateOperationError
(code: str, message: str, inner_error: azure.keyvault.certificates._models.CertificateOperationError)[source]¶ The key vault server error.
- Parameters
code (str) – The error code.
message (str) – The error message.
inner_error (CertificateOperationError) – The error object itself
-
property
inner_error
¶ The error itself
- Return ~azure.keyvault.certificates.CertificateOperationError
-
class
azure.keyvault.certificates.
CertificatePolicy
(issuer_name: Optional[str] = None, **kwargs: Any)[source]¶ Management policy for a certificate.
- Parameters
issuer_name (Optional[str]) – Optional. Name of the referenced issuer object or reserved names; for example,
self
orunknown
- Keyword Arguments
subject (str) – The subject name of the certificate. Should be a valid X509 distinguished name. Either subject or one of the subject alternative name parameters are required for creating a certificate. This will be ignored when importing a certificate; the subject will be parsed from the imported certificate.
san_emails (Iterable[str]) – Subject alternative emails of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate.
san_dns_names (Iterable[str]) – Subject alternative DNS names of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate.
san_user_principal_names (Iterable[str]) – Subject alternative user principal names of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate.
exportable (bool) – Indicates if the private key can be exported. For valid values, see KeyType.
key_type (str or KeyType) – The type of key pair to be used for the certificate.
key_size (int) – The key size in bits. For example: 2048, 3072, or 4096 for RSA.
reuse_key (bool) – Indicates if the same key pair will be used on certificate renewal.
key_curve_name (str or KeyCurveName) – Elliptic curve name. For valid values, see KeyCurveName.
enhanced_key_usage (list[str]) – The extended ways the key of the certificate can be used.
key_usage (list[str or KeyUsageType]) – List of key usages.
content_type (str or CertificateContentType) – The media type (MIME type) of the secret backing the certificate. If not specified,
CertificateContentType.pkcs12
is assumed.validity_in_months (int) – The duration that the certificate is valid in months.
lifetime_actions (Iterable[LifetimeAction]) – Actions that will be performed by Key Vault over the lifetime of a certificate
certificate_type (str) – Type of certificate to be requested from the issuer provider.
certificate_transparency (bool) – Indicates if the certificates generated under this policy should be published to certificate transparency logs.
-
property
certificate_transparency
¶ Whether the certificates generated under this policy should be published to certificate transparency logs.
- Return type
-
property
content_type
¶ The media type (MIME type).
- Return type
-
property
issuer_name
¶ Name of the referenced issuer object or reserved names for the issuer of the certificate.
- Return type
-
property
key_curve_name
¶ Elliptic curve name.
- Return type
-
property
key_usage
¶ List of key usages.
- Return type
-
property
lifetime_actions
¶ Actions and their triggers that will be performed by Key Vault over the lifetime of the certificate.
- Return type
-
class
azure.keyvault.certificates.
CertificatePolicyAction
(value)[source]¶ The supported action types for the lifetime of a certificate
-
auto_renew
= 'AutoRenew'¶
-
email_contacts
= 'EmailContacts'¶
-
-
class
azure.keyvault.certificates.
CertificateProperties
(**kwargs: Any)[source]¶ Certificate properties consists of a certificates metadata.
-
property
recoverable_days
¶ The number of days the certificate is retained before being deleted from a soft-delete enabled Key Vault.
- Return type
-
property
recovery_level
¶ The deletion recovery level currently in effect for the certificate.
- Return type
models.DeletionRecoveryLevel
Application specific metadata in the form of key-value pairs.
- Return type
-
property
-
class
azure.keyvault.certificates.
DeletedCertificate
(properties: Optional[CertificateProperties] = None, policy: Optional[CertificatePolicy] = None, cer: Optional[bytes] = None, **kwargs: Any)[source]¶ A Deleted Certificate consisting of its previous id, attributes and its tags, as well as information on when it will be purged.
- Parameters
policy (CertificatePolicy) – The management policy of the deleted certificate.
cer (bytearray) – CER contents of the X509 certificate.
deleted_on (datetime) – The time when the certificate was deleted, in UTC
recovery_id (str) – The url of the recovery object, used to identify and recover the deleted certificate.
scheduled_purge_date (datetime) – The time when the certificate is scheduled to be purged, in UTC
-
property
key_id
¶ str
- Type
rtype
-
property
policy
¶ The management policy of the certificate.
- Return type
-
property
properties
¶ The certificate’s properties
- Return type
-
property
recovery_id
¶ The url of the recovery object, used to identify and recover the deleted certificate.
- Return type
-
property
scheduled_purge_date
¶ The datetime when the certificate is scheduled to be purged.
- Return type
-
property
secret_id
¶ Any or None
- Type
rtype
-
class
azure.keyvault.certificates.
IssuerProperties
(provider: Optional[str] = None, **kwargs: Any)[source]¶ The properties of an issuer containing the issuer metadata.
- Parameters
provider (str) – The issuer provider.
-
property
id
¶ str
- Type
rtype
-
property
name
¶ str or None
- Type
rtype
-
property
provider
¶ str or None
- Type
rtype
-
class
azure.keyvault.certificates.
KeyCurveName
(value)[source]¶ Supported elliptic curves
-
p_256
= 'P-256'¶ The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.
-
p_256_k
= 'P-256K'¶ The SECG SECP256K1 elliptic curve.
-
p_384
= 'P-384'¶ The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.
-
p_521
= 'P-521'¶ The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.
-
-
class
azure.keyvault.certificates.
KeyType
(value)[source]¶ Supported key types
-
ec
= 'EC'¶ Elliptic Curve
-
ec_hsm
= 'EC-HSM'¶ Elliptic Curve with a private key which is not exportable from the HSM
-
rsa
= 'RSA'¶ //tools.ietf.org/html/rfc3447)
- Type
RSA (https
-
rsa_hsm
= 'RSA-HSM'¶ RSA with a private key which is not exportable from the HSM
-
-
class
azure.keyvault.certificates.
KeyUsageType
(value)[source]¶ The supported types of key usages
-
crl_sign
= 'cRLSign'¶
-
data_encipherment
= 'dataEncipherment'¶
-
decipher_only
= 'decipherOnly'¶
-
digital_signature
= 'digitalSignature'¶
-
encipher_only
= 'encipherOnly'¶
-
key_agreement
= 'keyAgreement'¶
-
key_cert_sign
= 'keyCertSign'¶
-
key_encipherment
= 'keyEncipherment'¶
-
non_repudiation
= 'nonRepudiation'¶
-
-
class
azure.keyvault.certificates.
KeyVaultCertificate
(policy: Optional[CertificatePolicy] = None, properties: Optional[CertificateProperties] = None, cer: Optional[bytes] = None, **kwargs: Any)[source]¶ Consists of a certificate and its attributes
- Parameters
policy (CertificatePolicy) – The management policy for the certificate.
properties (CertificateProperties) – The certificate’s properties.
cer (bytearray) – CER contents of the X509 certificate.
-
property
key_id
¶ str
- Type
rtype
-
property
policy
¶ The management policy of the certificate.
- Return type
-
property
properties
¶ The certificate’s properties
- Return type
-
property
secret_id
¶ Any or None
- Type
rtype
-
class
azure.keyvault.certificates.
KeyVaultCertificateIdentifier
(source_id: str)[source]¶ Information about a KeyVaultCertificate parsed from a certificate ID.
- Parameters
source_id (str) – the full original identifier of a certificate
- Raises
ValueError – if the certificate ID is improperly formatted
Example
cert = client.get_certificate(cert_name) parsed_certificate_id = KeyVaultCertificateIdentifier(cert.id) print(parsed_certificate_id.name) print(parsed_certificate_id.vault_url) print(parsed_certificate_id.version) print(parsed_certificate_id.source_id)
-
property
name
¶
-
property
source_id
¶
-
property
vault_url
¶
-
property
version
¶
-
class
azure.keyvault.certificates.
LifetimeAction
(action: Optional[CertificatePolicyAction], lifetime_percentage: Optional[int] = None, days_before_expiry: Optional[int] = None)[source]¶ Action and its trigger that will be performed by certificate Vault over the lifetime of a certificate.
- Parameters
action (str or CertificatePolicyAction) – The type of the action. For valid values, see CertificatePolicyAction
lifetime_percentage (int) – Percentage of lifetime at which to trigger. Value should be between 1 and 99.
days_before_expiry (int) – Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. I.e., if validity_in_months is 36, then value should be between 1 and 972 (36 * 27).
-
property
action
¶ The type of the action that will be executed. Valid values are “EmailContacts” and “AutoRenew”
- Return type
-
class
azure.keyvault.certificates.
WellKnownIssuerNames
(value)[source]¶ Collection of well-known issuer names
-
self
= 'Self'¶ Use this issuer for a self-signed certificate
-
unknown
= 'Unknown'¶ If you use this issuer, you must manually get an x509 certificate from the issuer of your choice. You must then call
merge_certificate()
to merge the public x509 certificate with your key vault certificate pending object to complete creation.
-