az keyvault certificate

Manage certificates.

Commands

az keyvault certificate contact Manage contacts for certificate management.
az keyvault certificate contact add Add a contact to the specified vault to receive notifications of certificate operations.
az keyvault certificate contact delete Remove a certificate contact from the specified vault.
az keyvault certificate contact list Lists the certificate contacts for a specified key vault.
az keyvault certificate create Create a Key Vault certificate.
az keyvault certificate delete Deletes a certificate from a specified key vault.
az keyvault certificate download Download the public portion of a Key Vault certificate.
az keyvault certificate get-default-policy Get the default policy for self-signed certificates.
az keyvault certificate import Import a certificate into KeyVault.
az keyvault certificate issuer Manage certificate issuer information.
az keyvault certificate issuer admin Manage admin information for certificate issuers.
az keyvault certificate issuer admin add Add admin details for a specified certificate issuer.
az keyvault certificate issuer admin delete Remove admin details for the specified certificate issuer.
az keyvault certificate issuer admin list List admins for a specified certificate issuer.
az keyvault certificate issuer create Create a certificate issuer record.
az keyvault certificate issuer delete Deletes the specified certificate issuer.
az keyvault certificate issuer list List certificate issuers for a specified key vault.
az keyvault certificate issuer show Lists the specified certificate issuer.
az keyvault certificate issuer update Update a certificate issuer record.
az keyvault certificate list List certificates in a specified key vault.
az keyvault certificate list-deleted Lists the deleted certificates in the specified vault, currently available for recovery.
az keyvault certificate list-versions List the versions of a certificate.
az keyvault certificate pending Manage pending certificate creation operations.
az keyvault certificate pending delete Deletes the operation for a specified certificate.
az keyvault certificate pending merge Merges a certificate or a certificate chain with a key pair existing on the server.
az keyvault certificate pending show Gets the operation associated with a specified certificate.
az keyvault certificate purge Permanently deletes the specified deleted certificate.
az keyvault certificate recover Recovers the deleted certificate back to its current version under /certificates.
az keyvault certificate set-attributes Updates the specified attributes associated with the given certificate.
az keyvault certificate show Gets information about a specified certificate.
az keyvault certificate show-deleted Retrieves information about the specified deleted certificate.

az keyvault certificate create

Create a Key Vault certificate.

az keyvault certificate create --name
--policy
--vault-name
[--disabled {false, true}]
[--tags]
[--validity]

Examples

Create a self-signed certificate with the default policy and add it to a virtual machine.

az keyvault certificate create --vault-name vaultname -n cert1   -p "$(az keyvault certificate get-default-policy)"
                        
                        secrets=$(az keyvault secret list-versions --vault-name vaultname   -n cert1 --query "[?attributes.enabled].id" -o tsv)
                        
                        vm_secrets=$(az vm format-secret -s "$secrets") 
                        
                        az vm create -g group-name -n vm-name --admin-username deploy    --image debian --secrets "$vm_secrets"

Required Parameters

--name -n
Name of the certificate.
--policy -p
JSON encoded policy defintion. Use @{file} to load from a file.
--vault-name
Name of the key vault.

Optional Parameters

--disabled
Create certificate in disabled state.
accepted values: false, true
--tags
Space separated tags in 'key[=value]' format. Use "" to clear existing tags.
--validity
Number of months the certificate is valid for. Overrides the value specified with --policy/-p.

az keyvault certificate delete

Deletes a certificate from a specified key vault.

az keyvault certificate delete --name
--vault-name

Required Parameters

--name -n
Name of the certificate.
--vault-name
Name of the key vault.

az keyvault certificate download

Download the public portion of a Key Vault certificate.

az keyvault certificate download --file
--name
--vault-name
[--encoding {DER, PEM}]
[--version]

Examples

Download a certificate as PEM and check its fingerprint in openssl.

az keyvault certificate download --vault-name vault -n cert-name -f cert.pem && openssl x509 -in cert.pem -inform PEM  -noout -sha1 -fingerprint

Download a certificate as DER and check its fingerprint in openssl.

az keyvault certificate download --vault-name vault -n cert-name -f cert.crt -e DER && openssl x509 -in cert.crt -inform DER  -noout -sha1 -fingerprint

Required Parameters

--file -f
File to receive the binary certificate contents.
--name -n
Name of the certificate.
--vault-name
Name of the key vault.

Optional Parameters

--encoding -e
Encoding of the certificate. DER will create a binary DER formatted x509 certificate, and PEM will create a base64 PEM x509 certificate.
accepted values: DER, PEM
default value: PEM
--version -v
The certificate version. If omitted, uses the latest version.

az keyvault certificate get-default-policy

Get the default policy for self-signed certificates.

az keyvault certificate get-default-policy [--scaffold]

Examples

Create a self-signed certificate with the default policy

az keyvault certificate create --vault-name vaultname -n cert1   -p "$(az keyvault certificate get-default-policy)"

Optional Parameters

--scaffold
Create a fully formed policy structure with default values.

az keyvault certificate import

Import a certificate into KeyVault.

az keyvault certificate import --file
--name
--vault-name
[--disabled {false, true}]
[--password]
[--policy]
[--tags]

Examples

Create a service principal with a certificate, add the certificate to Key Vault and provision a VM with that certificate.

service_principal=$(az ad sp create-for-rbac --create-cert) 
                        
                        cert_file=$(echo $service_principal | jq .fileWithCertAndPrivateKey -r) 
                        
                        az keyvault create -g my-group -n vaultname 
                        
                        az keyvault certificate import --vault-name vaultname -n cert_file 
                        
                        secrets=$(az keyvault secret list-versions --vault-name vaultname   -n cert1 --query "[?attributes.enabled].id" -o tsv)
                        
                        vm_secrets=$(az vm format-secret -s "$secrets") 
                        
                        az vm create -g group-name -n vm-name --admin-username deploy    --image debian --secrets "$vm_secrets"

Required Parameters

--file -f
PKCS12 file or PEM file containing the certificate and private key.
--name -n
Name of the certificate.
--vault-name
Name of the key vault.

Optional Parameters

--disabled
Import the certificate in disabled state.
accepted values: false, true
--password
If the private key in certificate is encrypted, the password used for encryption.
--policy -p
JSON encoded policy defintion. Use @{file} to load from a file.
--tags
Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault certificate list

List certificates in a specified key vault.

az keyvault certificate list --vault-name
[--maxresults]

Required Parameters

--vault-name
Name of the key vault.

Optional Parameters

--maxresults
Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault certificate list-deleted

Lists the deleted certificates in the specified vault, currently available for recovery.

az keyvault certificate list-deleted --vault-name
[--maxresults]

Required Parameters

--vault-name
Name of the key vault.

Optional Parameters

--maxresults
Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault certificate list-versions

List the versions of a certificate.

az keyvault certificate list-versions --name
--vault-name
[--maxresults]

Required Parameters

--name -n
Name of the certificate.
--vault-name
Name of the key vault.

Optional Parameters

--maxresults
Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault certificate purge

Permanently deletes the specified deleted certificate.

az keyvault certificate purge --name
--vault-name

Required Parameters

--name -n
Name of the certificate.
--vault-name
Name of the key vault.

az keyvault certificate recover

Recovers the deleted certificate back to its current version under /certificates.

az keyvault certificate recover --name
--vault-name

Required Parameters

--name -n
Name of the certificate.
--vault-name
Name of the key vault.

az keyvault certificate set-attributes

Updates the specified attributes associated with the given certificate.

az keyvault certificate set-attributes --name
--vault-name
[--enabled {false, true}]
[--policy]
[--tags]
[--version]

Required Parameters

--name -n
Name of the certificate.
--vault-name
Name of the key vault.

Optional Parameters

--enabled
Enable the certificate.
accepted values: false, true
--policy -p
JSON encoded policy defintion. Use @{file} to load from a file.
--tags
Space separated tags in 'key[=value]' format. Use "" to clear existing tags.
--version -v
The certificate version. If omitted, uses the latest version.

az keyvault certificate show

Gets information about a specified certificate.

az keyvault certificate show --name
--vault-name
[--version]

Required Parameters

--name -n
Name of the certificate.
--vault-name
Name of the key vault.

Optional Parameters

--version -v
The certificate version. If omitted, uses the latest version.

az keyvault certificate show-deleted

Retrieves information about the specified deleted certificate.

az keyvault certificate show-deleted --name
--vault-name

Required Parameters

--name -n
Name of the certificate.
--vault-name
Name of the key vault.