com.azure.security.keyvault.certificates
Azure Key Vault is a cloud-based service provided by Microsoft Azure that allows users to securely store and manage cryptographic certificates used for encrypting and decrypting data. It is a part of Azure Key Vault, which is a cloud-based service for managing cryptographic certificates, keys, and secrets.
Azure Key Vault Certificates provides a centralized and highly secure location for storing certificates, which eliminates the need to store sensitive certificate material in application code or configuration files. By leveraging Azure Key Vault, you can better protect your certificates and ensure their availability when needed.
Key features of the Azure Key Vault Certificates service include:
- Secure storage: Certificates are stored securely within Azure Key Vault, which provides robust encryption and access control mechanisms to protect against unauthorized access.
- Certificate lifecycle management: You can create, import, and manage certificates within Azure Key Vault. It supports common certificate formats such as X.509 and PFX.
- Certificate management operations: Azure Key Vault provides a comprehensive set of management operations, including certificate creation, deletion, retrieval, renewal, and revocation.
- Integration with Azure services: Key Vault Certificates can be easily integrated with other Azure services, such as Azure App Service, Azure Functions, and Azure Virtual Machines, to enable secure authentication and encryption.
The Azure Key Vault Certificates client library allows developers to securely store and manage certificates within Azure Key Vault. The library provides a set of APIs that enable developers to securely create, import, retrieve, update, and perform other certificate-related operations.
Key Concepts:
What is a Certificate Client?
The certificate client performs the interactions with the Azure Key Vault service for getting, setting, updating, deleting, and listing certificates and its versions. Asynchronous (CertificateAsyncClient) and synchronous (CertificateClient) clients exist in the SDK allowing for the selection of a client based on an application's use case. Once you have initialized a certificate, you can interact with the primary resource types in Azure Key Vault.
What is an Azure Key Vault Certificate ?
Azure Key Vault supports certificates with secret content types (PKCS12 and PEM). The certificate can be backed by keys in Azure Key Vault of types (EC and RSA). In addition to the certificate policy, the following attributes may be specified:.
- enabled: Specifies whether the certificate is enabled and usable.
- created: Indicates when this version of the certificate was created.
- updated: Indicates when this version of the certificate was updated.
Getting Started
In order to interact with the Azure Key Vault service, you will need to create an instance of the CertificateClient or CertificateAsyncClient class, a vault url and a credential object.
The examples shown in this document use a credential object named DefaultAzureCredential for authentication, which is appropriate for most scenarios, including local development and production environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the Azure Identity documentation".
Sample: Construct Synchronous Certificate Client
The following code sample demonstrates the creation of a CertificateClient, using the CertificateClientBuilder to configure it.
CertificateClient certificateClient = new CertificateClientBuilder()
.credential(new DefaultAzureCredentialBuilder().build())
.vaultUrl("<your-key-vault-url>")
.httpLogOptions(new HttpLogOptions().setLogLevel(HttpLogDetailLevel.BODY_AND_HEADERS))
.buildClient();
Sample: Construct Asynchronous Certificate Client
The following code sample demonstrates the creation of a CertificateAsyncClient, using the CertificateClientBuilder to configure it.
CertificateAsyncClient certificateAsyncClient = new CertificateClientBuilder()
.credential(new DefaultAzureCredentialBuilder().build())
.vaultUrl("<your-key-vault-url>")
.httpLogOptions(new HttpLogOptions().setLogLevel(HttpLogDetailLevel.BODY_AND_HEADERS))
.buildAsyncClient();
Create a Certificate
The CertificateClient or CertificateAsyncClient can be used to create a certificate in the key vault.Synchronous Code Sample:
The following code sample demonstrates how to synchronously create a certificate in the key vault, using the com.azure.security.keyvault.certificates.CertificateClient#beginCreateCertificate(java.lang.String, com.azure.security.keyvault.certificates.models.CertificatePolicy) API.
CertificatePolicy certPolicy = new CertificatePolicy("Self",
"CN=SelfSignedJavaPkcs12");
SyncPoller<CertificateOperation, KeyVaultCertificateWithPolicy> certPoller = certificateClient
.beginCreateCertificate("certificateName", certPolicy);
certPoller.waitUntil(LongRunningOperationStatus.SUCCESSFULLY_COMPLETED);
KeyVaultCertificate cert = certPoller.getFinalResult();
System.out.printf("Certificate created with name %s%n", cert.getName());
Note: For the asynchronous sample, refer to CertificateAsyncClient.
Get a Certificate
The CertificateClient or CertificateAsyncClient can be used to retrieve a certificate from the key vault.Synchronous Code Sample:
The following code sample demonstrates how to synchronously retrieve a certificate from the key vault, using the com.azure.security.keyvault.certificates.CertificateClient#getCertificate(java.lang.String).
CertificatePolicy policy = certificateClient.getCertificatePolicy("certificateName");
System.out.printf("Received policy with subject name %s%n", policy.getSubject());
Note: For the asynchronous sample, refer to CertificateAsyncClient.
Delete a Certificate
The CertificateClient or CertificateAsyncClient can be used to delete a certificate from the key vault.Synchronous Code Sample:
The following code sample demonstrates how to synchronously delete a certificate from the key vault, using the com.azure.security.keyvault.certificates.CertificateClient#beginDeleteCertificate(java.lang.String) API.
SyncPoller<DeletedCertificate, Void> deleteCertPoller =
certificateClient.beginDeleteCertificate("certificateName");
// Deleted Certificate is accessible as soon as polling beings.
PollResponse<DeletedCertificate> deleteCertPollResponse = deleteCertPoller.poll();
System.out.printf("Deleted certificate with name %s and recovery id %s%n",
deleteCertPollResponse.getValue().getName(), deleteCertPollResponse.getValue().getRecoveryId());
deleteCertPoller.waitForCompletion();
Note: For the asynchronous sample, refer to CertificateAsyncClient.
Classes
| CertificateAsyncClient |
The Certificate |
| CertificateClient |
The Certificate |
| CertificateClientBuilder |
This class provides a fluent builder API to help aid the configuration and instantiation of the CertificateAsyncClient and CertificateClient, by calling buildAsyncClient() and buildClient() respectively It constructs an instance of the desired client. |
Enums
| CertificateServiceVersion |
The versions of Azure Key Vault Certificate supported by this client library. |
Azure SDK for Java
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for