New-AzureKeyVaultCertificatePolicy

Creates an in-memory certificate policy object.

Warning

The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.

Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.

Syntax

New-AzureKeyVaultCertificatePolicy
   [-IssuerName] <String>
   [-SubjectName] <String>
   [-RenewAtNumberOfDaysBeforeExpiry <Int32>]
   [-RenewAtPercentageLifetime <Int32>]
   [-SecretContentType <String>]
   [-ReuseKeyOnRenewal]
   [-Disabled]
   [-KeyUsage <System.Collections.Generic.List`1[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]>]
   [-Ekus <System.Collections.Generic.List`1[System.String]>]
   [-ValidityInMonths <Int32>]
   [-CertificateType <String>]
   [-EmailAtNumberOfDaysBeforeExpiry <Int32>]
   [-EmailAtPercentageLifetime <Int32>]
   [-KeyType <String>]
   [-KeyNotExportable]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzureKeyVaultCertificatePolicy
   [-IssuerName] <String>
   [[-SubjectName] <String>]
   [-DnsName] <System.Collections.Generic.List`1[System.String]>
   [-RenewAtNumberOfDaysBeforeExpiry <Int32>]
   [-RenewAtPercentageLifetime <Int32>]
   [-SecretContentType <String>]
   [-ReuseKeyOnRenewal]
   [-Disabled]
   [-KeyUsage <System.Collections.Generic.List`1[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]>]
   [-Ekus <System.Collections.Generic.List`1[System.String]>]
   [-ValidityInMonths <Int32>]
   [-CertificateType <String>]
   [-EmailAtNumberOfDaysBeforeExpiry <Int32>]
   [-EmailAtPercentageLifetime <Int32>]
   [-KeyType <String>]
   [-KeyNotExportable]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzureKeyVaultCertificatePolicy cmdlet creates an in-memory certificate policy object for Azure Key Vault.

Examples

Example 1: Create a certificate policy

PS C:\> New-AzureKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal

SecretContentType               : application/x-pkcs12
Kty                             :
KeySize                         : 2048
Exportable                      :
ReuseKeyOnRenewal               : True
SubjectName                     : CN=contoso.com
DnsNames                        :
KeyUsage                        :
Ekus                            :
ValidityInMonths                : 6
IssuerName                      : Self
CertificateType                 :
RenewAtNumberOfDaysBeforeExpiry :
RenewAtPercentageLifetime       :
EmailAtNumberOfDaysBeforeExpiry :
EmailAtPercentageLifetime       :
CertificateTransparency         :
Enabled                         : True
Created                         :
Updated                         :

This command creates a certificate policy that is valid for six months and reuses the key to renew the certificate.

Parameters

-CertificateType

Specifies the type of certificate to the issuer.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Disabled

Indicates that the certificate policy is disabled.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DnsName

Specifies the DNS names in the certificate.

Type:List<T>[String]
Aliases:DnsNames
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Ekus

Specifies the enhanced key usages (EKUs) in the certificate.

Type:List<T>[String]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-EmailAtNumberOfDaysBeforeExpiry

Specifies how many days before expiry the automatic notification process begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-EmailAtPercentageLifetime

Specifies the percentage of the lifetime after which the automatic process for the notification begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-IssuerName

Specifies the name of the issuer for the certificate.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-KeyNotExportable

Indicates that the key is not exportable.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-KeyType

Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are:

  • RSA
  • RSA-HSM
Type:String
Accepted values:RSA, RSA-HSM
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-KeyUsage

Specifies the key usages in the certificate.

Type:List<T>[X509KeyUsageFlags]
Accepted values:None, EncipherOnly, CrlSign, KeyCertSign, KeyAgreement, DataEncipherment, KeyEncipherment, NonRepudiation, DigitalSignature, DecipherOnly
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-RenewAtNumberOfDaysBeforeExpiry

Specifies the number of days before expiry after which the automatic process for certificate renewal begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-RenewAtPercentageLifetime

Specifies the percentage of the lifetime after which the automatic process for certificate renewal begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ReuseKeyOnRenewal

Indicates that the certificate reuse the key during renewal.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SecretContentType

Specifies the content type of the new key vault secret. The acceptable values for this parameter are:

  • application/x-pkcs12
  • application/x-pem-file
Type:String
Accepted values:application/x-pkcs12, application/x-pem-file
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SubjectName

Specifies the subject name of the certificate.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ValidityInMonths

Specifies the number of months the certificate is valid.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

List<T>[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]

Nullable<T>[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]

SwitchParameter

List<T>[[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]

Outputs

PSKeyVaultCertificatePolicy