Monitor and manage certificate creation

Applies To: Azure

The scenarios / operations outlined in this article are:

  • Request a KV Certificate with a supported issuer
  • Get pending request - request status is "inProgress"
  • Get pending request - request status is "complete"
  • Get pending request - pending request status is "canceled" or "failed"
  • Get pending request - pending request status is "deleted" or "overwritten"
  • Create (or Import) when pending request exists - status is "inProgress"
  • Merge when pending request is created with an issuer (DigiCert, for example)
  • Request a cancellation while the pending request status is "inProgress"
  • Delete a pending request object
  • Create a KV certificate manually
  • Merge when a pending request is created - manual certificate creation

Request a KV Certificate with a supported issuer

Method Request URI
POST https://mykeyvault.vault.azure.net/certificates/mycert1/create?api-version={api-version}

The following examples require an object named "mydigicert" to already be available in your key vault with the issuer provider as DigiCert. The certificate issuer is an entity represented in Azure Key Vault (KV) as a CertificateIssuer resource. It's used to provide information about the source of a KV certificate; issuer name, provider, credentials, and other administrative details.

Request

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert",
      "cty": "OV-SSL",
    }
  }
}

Response

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
{
  "id": “https://mykeyvault.vault.azure.net/certificates/mycert1/pending",
  "issuer": {
    "name": "mydigicert"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "InProgress",
  "status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

Get pending request - request status is "inProgress"

Method Request URI
GET https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}

Request

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}"

Note

If request_id is specified in the query, it acts like a filter. If the request_id in the query and in the pending object are different, an http status code of 404 is returned.

Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.net/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

Get pending request - request status is "complete"

Request

Method Request URI
GET https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}"

Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.net/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "completed",
  "request_id": "a76827a18b63421c917da80f28e9913d",
  "target": “https://mykeyvault.vault.azure.net/certificates/mycert1?api-version={api-version}"
}

Get pending request - pending request status is "canceled" or "failed"

Request

Method Request URI
GET https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}"

Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.net/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "failed",
  "status_details": "",
  "request_id": "a76827a18b63421c917da80f28e9913d",
  "error": {
    "code": "<errorcode>",
    "message": "<message>"
  }
}

Note

The value of the errorcode can be "Certificate issuer error" or "Request rejected" based on issuer or user error respectively.

Get pending request - pending request status is "deleted" or "overwritten"

A pending object can be deleted or overwritten by a create/import operation when its status isn't inProgress.

Method Request URI
GET https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}

Request

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}"

Response

StatusCode: 404, ReasonPhrase: 'Not Found'
{
  "error": {
    "code": "PendingCertificateNotFound",
    "message": "…"
  }
}

Create (or Import) when pending request exists - status is "inProgress"

A pending object has four possible states; "inprogress", "canceled", "failed", or "completed."

When a pending request's state is "inprogress", create (and import) operations will fail with an http status code of 409 (conflict).

To fix a conflict:

  • If the certificate is being manually created, you can either complete the KV certificate by doing a merge or delete on the pending object.

  • If the certificate is being created with an issuer, you can wait until the certificate completes, fails or is canceled. Alternatively, you can delete the pending object.

Note

Deleting a pending object may or may not cancel the x509 certificate request with the provider.

Method Request URI
POST https://mykeyvault.vault.azure.net/certificates/mycert1/create?api-version={api-version}

Request

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert"
    }
  }
}

Response

StatusCode: 409, ReasonPhrase: 'Conflict'
{
  "error": {
    "code": "Forbidden",
    "message": "A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."
  }
}

Merge when pending request is created with an issuer

Merge isn't allowed when a pending object is created with an issuer but is allowed when its state is inProgress.

If the request to create the x509 certificate fails or cancels for some reason, and if an x509 certificate can be retrieved by out-of-band means, a merge operation can be done to complete the KV certificate.

Method Request URI
POST https://mykeyvault.vault.azure.net/certificates/mycert1/pending/merge?api-version={api-version}

Request

{
  "x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}

Response

StatusCode: 403, ReasonPhrase: 'Forbidden'
{
  "error": {
    "code": "Forbidden",
    "message": "Merge is forbidden on pending object created with issuer : <issuer-name> while it is in progess."
  }
}

Request a cancellation while the pending request status is "inProgress"

A cancellation can only be requested. A request may or may not be canceled. If a request isn't "inProgress", an http status of 400 (Bad Request) is returned.

Method Request URI
PATCH https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}

Request

PATCH “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

PATCH “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}"

{
  "cancellation_requested": true
}

Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.net/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": true,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

Delete a pending request object

Note

Deleting the pending object may or may not cancel the x509 certificate request with the provider.

Method Request URI
DELETE https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}

Request

DELETE “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

DELETE “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}"

Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.net/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "request_id": "a76827a18b63421c917da80f28e9913d",
}

Create a KV certificate manually

You can create a certificate issued with a CA of your choice through a manual creation process. Set the name of the issuer to “Unknown” or don't specify the issuer field.

Method Request URI
POST https://mykeyvault.vault.azure.net/certificates/mycert1/create?api-version={api-version}

Request

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "Unknown"
    }
  }
}

Response

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: “https://mykeyvault.vault.azure.net/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
{
  "id": “https://mykeyvault.vault.azure.net/certificates/mycert1/pending",
  "issuer": {
    "name": "Unknown"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "status": "inProgress",
  "status_details": "Pending certificate created. Please Perform Merge to complete the request.",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

Merge when a pending request is created - manual certificate creation

Method Request URI
POST https://mykeyvault.vault.azure.net/certificates/mycert1/pending/merge?api-version={api-version}

Request

{
  "x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}

Element name Required Type Version Description
x5c Yes array <introducing version> X509 certificate chain as base 64 string array.

Response

StatusCode: 201, ReasonPhrase: 'Created'
Location: “https://mykeyvault.vault.azure.net/certificates/mycert1?api-version={api-version}"
{
	"id": "https mykeyvault.vault.azure.net/certificates/mycert1/f366e1a9dd774288ad84a45a5f620352",
	"kid": "https:// mykeyvault.vault.azure.net/keys/mycert1/f366e1a9dd774288ad84a45a5f620352",
	"sid": " mykeyvault.vault.azure.net/secrets/mycert1/f366e1a9dd774288ad84a45a5f620352",
	"cer": "……de34534……",
	"x5t": "n14q2wbvyXr71Pcb58NivuiwJKk",
	"attributes": {
		"enabled": true,
		"exp": 1530394215,
		"nbf": 1435699215,
		"created": 1435699919,
		"updated": 1435699919
	},
	"pending": {
		"id": "https:// mykeyvault.vault.azure.net/certificates/mycert1/pending"
	},
	"policy": {
		"id": "https:// mykeyvault.vault.azure.net/certificates/mycert1/policy",
		"key_props": {
			"exportable": false,
			"kty": "RSA",
			"key_size": 2048,
			"reuse_key": false
		},
		"secret_props": {
			"contentType": "application/x-pkcs12"
		},
		"x509_props": {
			"subject": "CN=Mycert1",
			"ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"],
			"validity_months": 12
		},
		"lifetime_actions": [{
			"trigger": {
				"lifetime_percentage": 80
			},
			"action": {
				"action_type": "EmailContacts"
			}
		}],
		"issuer": {
			"name": "Unknown"
		},
		"attributes": {
			"enabled": true,
			"created": 1435699811,
			"updated": 1435699811
		}
	}
}