Set-AzureKeyVaultCertificatePolicy

Creates or updates the policy for a certificate in a key vault.

Important

Because Az PowerShell modules now have all the capabilities of AzureRM PowerShell modules and more, we'll retire AzureRM PowerShell modules on 29 February 2024.

To avoid service interruptions, update your scripts that use AzureRM PowerShell modules to use Az PowerShell modules by 29 February 2024. To automatically update your scripts, follow the quickstart guide.

Syntax

Set-AzureKeyVaultCertificatePolicy
   [-VaultName] <String>
   [-Name] <String>
   [-RenewAtPercentageLifetime <Int32>]
   [-SecretContentType <String>]
   [-ReuseKeyOnRenewal <Boolean>]
   [-Disabled]
   [-SubjectName <String>]
   [-DnsName <System.Collections.Generic.List`1[System.String]>]
   [-KeyUsage <System.Collections.Generic.List`1[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]>]
   [-Ekus <System.Collections.Generic.List`1[System.String]>]
   [-ValidityInMonths <Int32>]
   [-IssuerName <String>]
   [-CertificateType <String>]
   [-EmailAtNumberOfDaysBeforeExpiry <Int32>]
   [-EmailAtPercentageLifetime <Int32>]
   [-KeyType <String>]
   [-KeyNotExportable]
   [-CertificateTransparency <Boolean>]
   [-PassThru]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-AzureKeyVaultCertificatePolicy
   [-VaultName] <String>
   [-Name] <String>
   [-InputObject] <PSKeyVaultCertificatePolicy>
   [-EmailAtNumberOfDaysBeforeExpiry <Int32>]
   [-EmailAtPercentageLifetime <Int32>]
   [-KeyType <String>]
   [-CertificateTransparency <Boolean>]
   [-PassThru]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-AzureKeyVaultCertificatePolicy
   [-VaultName] <String>
   [-Name] <String>
   -RenewAtNumberOfDaysBeforeExpiry <Int32>
   [-SecretContentType <String>]
   [-ReuseKeyOnRenewal <Boolean>]
   [-Disabled]
   [-SubjectName <String>]
   [-DnsName <System.Collections.Generic.List`1[System.String]>]
   [-KeyUsage <System.Collections.Generic.List`1[System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]>]
   [-Ekus <System.Collections.Generic.List`1[System.String]>]
   [-ValidityInMonths <Int32>]
   [-IssuerName <String>]
   [-CertificateType <String>]
   [-EmailAtNumberOfDaysBeforeExpiry <Int32>]
   [-EmailAtPercentageLifetime <Int32>]
   [-KeyType <String>]
   [-KeyNotExportable]
   [-CertificateTransparency <Boolean>]
   [-PassThru]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Set-AzureKeyVaultCertificatePolicy cmdlet creates or updates the policy for a certificate in a key vault.

Examples

Example 1: Set a certificate policy

PS C:\> Set-AzureKeyVaultCertificatePolicy -VaultName "ContosoKV01" -Name "TestCert01" -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal $True -PassThru

SecretContentType               : application/x-pkcs12
Kty                             :
KeySize                         : 2048
Exportable                      :
ReuseKeyOnRenewal               : True
SubjectName                     : CN=contoso.com
DnsNames                        :
KeyUsage                        :
Ekus                            :
ValidityInMonths                : 6
IssuerName                      : Self
CertificateType                 :
RenewAtNumberOfDaysBeforeExpiry :
RenewAtPercentageLifetime       :
EmailAtNumberOfDaysBeforeExpiry :
EmailAtPercentageLifetime       :
CertificateTransparency         :
Enabled                         : True
Created                         :
Updated                         :

This command sets the policy for the TestCert01 certificate in the ContosoKV01 key vault.

Parameters

-CertificateTransparency

Indicates whether certificate transparency is enabled for this certificate/issuer; if not specified, the default is 'true'

Type:Nullable<T>[Boolean]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CertificateType

Specifies the type of certificate to the issuer.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureContextContainer
Aliases:AzureRmContext, AzureCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Disabled

Indicates that the certificate policy is disabled.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DnsName

Specifies the subject name of the certificate.

Type:List<T>[String]
Aliases:DnsNames
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Ekus

Specifies the enhanced key usages (EKUs) in the certificate.

Type:List<T>[String]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EmailAtNumberOfDaysBeforeExpiry

Specifies the number of days before expiration when automatic renewal should start.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EmailAtPercentageLifetime

Specifies the percentage of the lifetime after which the automatic process for the notification begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-InputObject

Specifies the certificate policy.

Type:PSKeyVaultCertificatePolicy
Aliases:CertificatePolicy
Position:2
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-IssuerName

Specifies the name of the issuer for this certificate.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-KeyNotExportable

Indicates that the key is not exportable.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-KeyType

Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are:

  • RSA
  • RSA-HSM
Type:String
Accepted values:RSA, RSA-HSM
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-KeyUsage

Specifies the key usages in the certificate.

Type:List<T>[X509KeyUsageFlags]
Accepted values:None, EncipherOnly, CrlSign, KeyCertSign, KeyAgreement, DataEncipherment, KeyEncipherment, NonRepudiation, DigitalSignature, DecipherOnly
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Name

Specifies the name of the certificate.

Type:String
Aliases:CertificateName
Position:1
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-RenewAtNumberOfDaysBeforeExpiry

Specifies the number of days before expiry after which the automatic process for certificate renewal begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-RenewAtPercentageLifetime

Specifies the percentage of the lifetime after which the automatic process for certificate renewal begins.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ReuseKeyOnRenewal

Indicates that the certificate reuse the key during renewal.

Type:Nullable<T>[Boolean]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SecretContentType

Specifies the content type of the new key vault secret. The acceptable values for this parameter are:

  • application/x-pkcs12
  • application/x-pem-file
Type:String
Accepted values:application/x-pkcs12, application/x-pem-file
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SubjectName

Specifies the subject name of the certificate.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ValidityInMonths

Specifies the number of months the certificate is valid.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-VaultName

Specifies the name of a key vault.

Type:String
Position:0
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSKeyVaultCertificatePolicy

Outputs

PSKeyVaultCertificatePolicy