New-AzKeyVaultCertificatePolicy

Creates an in-memory certificate policy object.

Syntax

New-AzKeyVaultCertificatePolicy
   [-IssuerName] <String>
   [-SubjectName] <String>
   [-RenewAtNumberOfDaysBeforeExpiry <Int32>]
   [-RenewAtPercentageLifetime <Int32>]
   [-SecretContentType <String>]
   [-ReuseKeyOnRenewal]
   [-Disabled]
   [-KeyUsage <System.Collections.Generic.List`1[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]>]
   [-Ekus <System.Collections.Generic.List`1[System.String]>]
   [-ValidityInMonths <Int32>]
   [-CertificateType <String>]
   [-EmailAtNumberOfDaysBeforeExpiry <Int32>]
   [-EmailAtPercentageLifetime <Int32>]
   [-KeyType <String>]
   [-KeySize <Int32>]
   [-KeyNotExportable]
   [-CertificateTransparency <Boolean>]
   [-Curve <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzKeyVaultCertificatePolicy
   [-IssuerName] <String>
   [[-SubjectName] <String>]
   [-DnsName] <System.Collections.Generic.List`1[System.String]>
   [-RenewAtNumberOfDaysBeforeExpiry <Int32>]
   [-RenewAtPercentageLifetime <Int32>]
   [-SecretContentType <String>]
   [-ReuseKeyOnRenewal]
   [-Disabled]
   [-KeyUsage <System.Collections.Generic.List`1[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]>]
   [-Ekus <System.Collections.Generic.List`1[System.String]>]
   [-ValidityInMonths <Int32>]
   [-CertificateType <String>]
   [-EmailAtNumberOfDaysBeforeExpiry <Int32>]
   [-EmailAtPercentageLifetime <Int32>]
   [-KeyType <String>]
   [-KeySize <Int32>]
   [-KeyNotExportable]
   [-CertificateTransparency <Boolean>]
   [-Curve <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzKeyVaultCertificatePolicy cmdlet creates an in-memory certificate policy object for Azure Key Vault.

Examples

Example 1: Create a certificate policy

PS C:\> New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal

SecretContentType               : application/x-pkcs12
Kty                             :
KeySize                         : 2048
Curve                           :
Exportable                      :
ReuseKeyOnRenewal               : True
SubjectName                     : CN=contoso.com
DnsNames                        :
KeyUsage                        :
Ekus                            :
ValidityInMonths                : 6
IssuerName                      : Self
CertificateType                 :
RenewAtNumberOfDaysBeforeExpiry :
RenewAtPercentageLifetime       :
EmailAtNumberOfDaysBeforeExpiry :
EmailAtPercentageLifetime       :
CertificateTransparency         :
Enabled                         : True
Created                         :
Updated                         :

This command creates a certificate policy that is valid for six months and reuses the key to renew the certificate.

Example 2

Creates an in-memory certificate policy object. (autogenerated)

 
New-AzKeyVaultCertificatePolicy -IssuerName 'Self' -KeyType RSA -RenewAtNumberOfDaysBeforeExpiry  -SecretContentType application/x-pkcs12 -SubjectName 'CN=contoso.com' -ValidityInMonths 6

Example 3: Create a Subject Alternate Name (or SAN) certificate

PS C:\> New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -DnsName "contoso.com","support.contoso.com","docs.contoso.com" -IssuerName "Self"

SecretContentType               : application/x-pkcs12
Kty                             : RSA
KeySize                         : 2048
Curve                           :
Exportable                      :
ReuseKeyOnRenewal               : False
SubjectName                     : CN=contoso.com
DnsNames                        : {contoso.com, support.contoso.com, docs.contoso.com}
KeyUsage                        :
Ekus                            :
ValidityInMonths                :
IssuerName                      : Self
CertificateType                 :
RenewAtNumberOfDaysBeforeExpiry :
RenewAtPercentageLifetime       :
EmailAtNumberOfDaysBeforeExpiry :
EmailAtPercentageLifetime       :
CertificateTransparency         :
Enabled                         : True
Created                         :
Updated                         :

This example creates a SAN certificate with 3 DNS names.

Parameters

-CertificateTransparency

Indicates whether certificate transparency is enabled for this certificate/issuer; if not specified, the default is 'true'

Type:Nullable<T>[Boolean]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-CertificateType

Specifies the type of certificate to the issuer.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Curve

Specifies the elliptic curve name of the key of the certificate. The acceptable values for this parameter are:

  • P-256
  • P-384
  • P-521
  • P-256K
  • SECP256K1
Type:String
Accepted values:P-256, P-384, P-521, P-256K, SECP256K1
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Disabled

Indicates that the certificate policy is disabled.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-DnsName

Specifies the DNS names in the certificate. Subject Alternative Names (SANs) can be specified as DNS names.

Type:List<T>[String]
Aliases:DnsNames
Position:1
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-Ekus

Specifies the enhanced key usages (EKUs) in the certificate.

Type:List<T>[String]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-EmailAtNumberOfDaysBeforeExpiry

Specifies how many days before expiry the automatic notification process begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-EmailAtPercentageLifetime

Specifies the percentage of the lifetime after which the automatic process for the notification begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-IssuerName

Specifies the name of the issuer for the certificate.

Type:String
Position:0
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-KeyNotExportable

Indicates that the key is not exportable.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-KeySize

Specifies the key size of the certificate. The acceptable values for this parameter are:

  • 2048
  • 3072
  • 4096
  • 256
  • 384
  • 521
Type:Int32
Accepted values:2048, 3072, 4096, 256, 384, 521
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-KeyType

Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are:

  • RSA
  • RSA-HSM
  • EC
  • EC-HSM
Type:String
Accepted values:RSA, RSA-HSM, EC, EC-HSM
Position:Named
Default value:RSA
Accept pipeline input:True
Accept wildcard characters:False
-KeyUsage

Specifies the key usages in the certificate.

Type:List<T>[X509KeyUsageFlags]
Accepted values:None, EncipherOnly, CrlSign, KeyCertSign, KeyAgreement, DataEncipherment, KeyEncipherment, NonRepudiation, DigitalSignature, DecipherOnly
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-RenewAtNumberOfDaysBeforeExpiry

Specifies the number of days before expiry after which the automatic process for certificate renewal begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-RenewAtPercentageLifetime

Specifies the percentage of the lifetime after which the automatic process for certificate renewal begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-ReuseKeyOnRenewal

Indicates that the certificate reuse the key during renewal.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-SecretContentType

Specifies the content type of the new key vault secret. The acceptable values for this parameter are:

  • application/x-pkcs12
  • application/x-pem-file
Type:String
Accepted values:application/x-pkcs12, application/x-pem-file
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-SubjectName

Specifies the subject name of the certificate.

Note

If you must use a comma (,) or a period (.) within a property in the SubjectName parameter, you must enclose the property field in quotation marks. For example, you may use O="Contoso, Ltd." in the Organization Name field.

Type:String
Position:1
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-ValidityInMonths

Specifies the number of months the certificate is valid.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

List<T>[[System.String, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]

Nullable<T>[[System.Int32, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]

SwitchParameter

List<T>[[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags, System.Security.Cryptography.X509Certificates, Version=4.2.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]]

Outputs

PSKeyVaultCertificatePolicy