CertificateClient Class
A high-level asynchronous interface for managing a vault's certificates.
- Inheritance
-
azure.keyvault.certificates._shared.async_client_base.AsyncKeyVaultClientBaseCertificateClient
Constructor
CertificateClient(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)Parameters
| Name | Description |
|---|---|
|
vault_url
Required
|
URL of the vault the client will access. This is also called the vault's "DNS Name". You should validate that this URL references a valid Key Vault resource. See https://aka.ms/azsdk/blog/vault-uri for details. |
|
credential
Required
|
An object which can provide an access token for the vault, such as a credential from aio |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
api_version
|
ApiVersion or
str
Version of the service API to use. Defaults to the most recent. |
|
verify_challenge_resource
|
Whether to verify the authentication challenge resource matches the Key Vault domain. Defaults to True. |
Methods
| backup_certificate |
Back up a certificate in a protected form useable only by Azure Key Vault. Requires certificates/backup permission. This is intended to allow copying a certificate from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region. |
| cancel_certificate_operation |
Cancels an in-progress certificate operation. Requires the certificates/update permission. |
| close |
Close sockets opened by the client. Calling this method is unnecessary when using the client as a context manager. |
| create_certificate |
Creates a new certificate. If this is the first version, the certificate resource is created. This operation requires the certificates/create permission. The poller requires the certificates/get permission, otherwise raises an HttpResponseError. |
| create_issuer |
Sets the specified certificate issuer. Requires certificates/setissuers permission. |
| delete_certificate |
Delete all versions of a certificate. Requires certificates/delete permission. If the vault has soft-delete enabled, deletion may take several seconds to complete. |
| delete_certificate_operation |
Deletes and stops the creation operation for a specific certificate. Requires the certificates/update permission. |
| delete_contacts |
Deletes the certificate contacts for the key vault. Requires the certificates/managecontacts permission. |
| delete_issuer |
Deletes the specified certificate issuer. Requires certificates/manageissuers/deleteissuers permission. |
| get_certificate |
Gets a certificate with its management policy attached. Requires certificates/get permission. Does not accept the version of the certificate as a parameter. To get a specific version of the certificate, call get_certificate_version. |
| get_certificate_operation |
Gets the creation operation of a certificate. Requires the certificates/get permission. |
| get_certificate_policy |
Gets the policy for a certificate. Requires certificates/get permission. Returns the specified certificate policy resources in the key vault. |
| get_certificate_version |
Gets a specific version of a certificate without returning its management policy. Requires certificates/get permission. To get the latest version of the certificate, or to get the certificate's policy as well, call get_certificate. |
| get_contacts |
Gets the certificate contacts for the key vault. Requires the certificates/managecontacts permission. |
| get_deleted_certificate |
Get a deleted certificate. Possible only in a vault with soft-delete enabled. Requires certificates/get permission. Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level. |
| get_issuer |
Gets the specified certificate issuer. Requires certificates/manageissuers/getissuers permission. |
| import_certificate |
Import a certificate created externally. Requires certificates/import permission. Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be
imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the
key as well as x509 certificates, and you must provide a |
| list_deleted_certificates |
Lists the currently-recoverable deleted certificates. Possible only if vault is soft-delete enabled. Requires certificates/get/list permission. Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. |
| list_properties_of_certificate_versions |
List the identifiers and properties of a certificate's versions. Requires certificates/list permission. |
| list_properties_of_certificates |
List identifiers and properties of all certificates in the vault. Requires certificates/list permission. |
| list_properties_of_issuers |
Lists properties of the certificate issuers for the key vault. Requires the certificates/manageissuers/getissuers permission. |
| merge_certificate |
Merges a certificate or a certificate chain with a key pair existing on the server. Requires the certificates/create permission. Performs the merging of a certificate or certificate chain with a key pair currently available in the service. Make sure when creating the certificate to merge using <xref:azure.keyvault.certificates.aio.begin_create_certificate> that you set its issuer to 'Unknown'. This way Key Vault knows that the certificate will not be signed by an issuer known to it. |
| purge_deleted_certificate |
Permanently deletes a deleted certificate. Possible only in vaults with soft-delete enabled. Requires certificates/purge permission. Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a certificate before its scheduled_purge_date. |
| recover_deleted_certificate |
Recover a deleted certificate to its latest version. Possible only in a vault with soft-delete enabled. Requires certificates/recover permission. If the vault does not have soft-delete enabled, delete_certificate is permanent, and this method will raise an error. Attempting to recover a non-deleted certificate will also raise an error. |
| restore_certificate_backup |
Restore a certificate backup to the vault. Requires certificates/restore permission. This restores all versions of the certificate, with its name, attributes, and access control policies. If the certificate's name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault. |
| send_request |
Runs a network request using the client's existing pipeline. The request URL can be relative to the vault URL. The service API version used for the request is the same as the client's unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request. |
| set_contacts |
Sets the certificate contacts for the key vault. Requires certificates/managecontacts permission. |
| update_certificate_policy |
Updates the policy for a certificate. Requires certificates/update permission. Set specified members in the certificate policy. Leaves others as null. |
| update_certificate_properties |
Change a certificate's properties. Requires certificates/update permission. |
| update_issuer |
Updates the specified certificate issuer. Requires certificates/setissuers permission. |
backup_certificate
Back up a certificate in a protected form useable only by Azure Key Vault.
Requires certificates/backup permission. This is intended to allow copying a certificate from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.
async backup_certificate(certificate_name: str, **kwargs: Any) -> bytesParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
Returns
| Type | Description |
|---|---|
|
The backup blob containing the backed up certificate. |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
cancel_certificate_operation
Cancels an in-progress certificate operation. Requires the certificates/update permission.
async cancel_certificate_operation(certificate_name: str, **kwargs: Any) -> CertificateOperationParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
Returns
| Type | Description |
|---|---|
|
The cancelled certificate operation |
Exceptions
| Type | Description |
|---|---|
close
Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
async close() -> NoneExceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
create_certificate
Creates a new certificate.
If this is the first version, the certificate resource is created. This operation requires the certificates/create permission. The poller requires the certificates/get permission, otherwise raises an HttpResponseError.
async create_certificate(certificate_name: str, policy: CertificatePolicy, **kwargs: Any) -> KeyVaultCertificate | CertificateOperationParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
|
policy
Required
|
The management policy for the certificate. Either subject or one of the subject alternative name properties are required. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
enabled
|
Whether the certificate is enabled for use. |
|
tags
|
Application specific metadata in the form of key-value pairs. |
Returns
| Type | Description |
|---|---|
|
A coroutine for the creation of the certificate. Awaiting the coroutine returns the created KeyVaultCertificate if creation is successful, or the CertificateOperation if not. |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate policy is invalid; the latter for other errors |
create_issuer
Sets the specified certificate issuer. Requires certificates/setissuers permission.
async create_issuer(issuer_name: str, provider: str, **kwargs: Any) -> CertificateIssuerParameters
| Name | Description |
|---|---|
|
issuer_name
Required
|
The name of the issuer. |
|
provider
Required
|
The issuer provider. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
enabled
|
Whether the issuer is enabled for use. |
|
account_id
|
The user name/account name/account id. |
|
password
|
The password/secret/account key. |
|
organization_id
|
Id of the organization |
|
admin_contacts
|
Contact details of the organization administrators of the certificate issuer. |
Returns
| Type | Description |
|---|---|
|
The created CertificateIssuer |
Exceptions
| Type | Description |
|---|---|
delete_certificate
Delete all versions of a certificate. Requires certificates/delete permission.
If the vault has soft-delete enabled, deletion may take several seconds to complete.
async delete_certificate(certificate_name: str, **kwargs: Any) -> DeletedCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
Returns
| Type | Description |
|---|---|
|
The deleted certificate |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
delete_certificate_operation
Deletes and stops the creation operation for a specific certificate.
Requires the certificates/update permission.
async delete_certificate_operation(certificate_name: str, **kwargs: Any) -> CertificateOperationParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
Returns
| Type | Description |
|---|---|
|
The deleted CertificateOperation |
Exceptions
| Type | Description |
|---|---|
|
the former if the operation doesn't exist; the latter for other errors |
delete_contacts
Deletes the certificate contacts for the key vault. Requires the certificates/managecontacts permission.
async delete_contacts(**kwargs: Any) -> List[CertificateContact]Returns
| Type | Description |
|---|---|
|
The deleted contacts for the key vault. |
Exceptions
| Type | Description |
|---|---|
delete_issuer
Deletes the specified certificate issuer.
Requires certificates/manageissuers/deleteissuers permission.
async delete_issuer(issuer_name: str, **kwargs: Any) -> CertificateIssuerParameters
| Name | Description |
|---|---|
|
issuer_name
Required
|
The name of the issuer. |
Returns
| Type | Description |
|---|---|
|
CertificateIssuer |
Exceptions
| Type | Description |
|---|---|
get_certificate
Gets a certificate with its management policy attached. Requires certificates/get permission.
Does not accept the version of the certificate as a parameter. To get a specific version of the certificate, call get_certificate_version.
async get_certificate(certificate_name: str, **kwargs: Any) -> KeyVaultCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate in the given vault. |
Returns
| Type | Description |
|---|---|
|
An instance of KeyVaultCertificate |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
get_certificate_operation
Gets the creation operation of a certificate. Requires the certificates/get permission.
async get_certificate_operation(certificate_name: str, **kwargs: Any) -> CertificateOperationParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
Returns
| Type | Description |
|---|---|
|
The created CertificateOperation |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
get_certificate_policy
Gets the policy for a certificate. Requires certificates/get permission.
Returns the specified certificate policy resources in the key vault.
async get_certificate_policy(certificate_name: str, **kwargs: Any) -> CertificatePolicyParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate in a given key vault. |
Returns
| Type | Description |
|---|---|
|
The certificate policy |
Exceptions
| Type | Description |
|---|---|
get_certificate_version
Gets a specific version of a certificate without returning its management policy.
Requires certificates/get permission. To get the latest version of the certificate, or to get the certificate's policy as well, call get_certificate.
async get_certificate_version(certificate_name: str, version: str, **kwargs: Any) -> KeyVaultCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate in the given vault. |
|
version
Required
|
The version of the certificate. |
Returns
| Type | Description |
|---|---|
|
An instance of KeyVaultCertificate |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
get_contacts
Gets the certificate contacts for the key vault. Requires the certificates/managecontacts permission.
async get_contacts(**kwargs: Any) -> List[CertificateContact]Returns
| Type | Description |
|---|---|
|
The certificate contacts for the key vault. |
Exceptions
| Type | Description |
|---|---|
get_deleted_certificate
Get a deleted certificate. Possible only in a vault with soft-delete enabled.
Requires certificates/get permission. Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level.
async get_deleted_certificate(certificate_name: str, **kwargs: Any) -> DeletedCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
Returns
| Type | Description |
|---|---|
|
The deleted certificate |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
get_issuer
Gets the specified certificate issuer. Requires certificates/manageissuers/getissuers permission.
async get_issuer(issuer_name: str, **kwargs: Any) -> CertificateIssuerParameters
| Name | Description |
|---|---|
|
issuer_name
Required
|
The name of the issuer. |
Returns
| Type | Description |
|---|---|
|
The specified certificate issuer. |
Exceptions
| Type | Description |
|---|---|
|
the former if the issuer doesn't exist; the latter for other errors |
import_certificate
Import a certificate created externally. Requires certificates/import permission.
Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be
imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the
key as well as x509 certificates, and you must provide a policy with
content_type of
pem.
async import_certificate(certificate_name: str, certificate_bytes: bytes, **kwargs: Any) -> KeyVaultCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
|
certificate_bytes
Required
|
Bytes of the certificate object to import. This certificate needs to contain the private key. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
enabled
|
Whether the certificate is enabled for use. |
|
tags
|
Application specific metadata in the form of key-value pairs. |
|
password
|
If the private key in the passed in certificate is encrypted, it is the password used for encryption. |
|
policy
|
The management policy for the certificate. Required if importing a PEM-format certificate, with content_type set to pem. |
Returns
| Type | Description |
|---|---|
|
The imported KeyVaultCertificate |
Exceptions
| Type | Description |
|---|---|
list_deleted_certificates
Lists the currently-recoverable deleted certificates. Possible only if vault is soft-delete enabled.
Requires certificates/get/list permission. Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information.
list_deleted_certificates(*, include_pending: bool | None = None, **kwargs: Any) -> AsyncItemPaged[DeletedCertificate]Keyword-Only Parameters
| Name | Description |
|---|---|
|
include_pending
|
Specifies whether to include certificates which are not completely deleted. Only available for API versions v7.0 and up. If not provided, Key Vault treats this as False. |
Returns
| Type | Description |
|---|---|
|
An iterator-like instance of DeletedCertificate |
Exceptions
| Type | Description |
|---|---|
list_properties_of_certificate_versions
List the identifiers and properties of a certificate's versions.
Requires certificates/list permission.
list_properties_of_certificate_versions(certificate_name: str, **kwargs: Any) -> AsyncItemPaged[CertificateProperties]Parameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate. |
Returns
| Type | Description |
|---|---|
|
An iterator-like instance of CertificateProperties |
Exceptions
| Type | Description |
|---|---|
list_properties_of_certificates
List identifiers and properties of all certificates in the vault.
Requires certificates/list permission.
list_properties_of_certificates(*, include_pending: bool | None = None, **kwargs: Any) -> AsyncItemPaged[CertificateProperties]Keyword-Only Parameters
| Name | Description |
|---|---|
|
include_pending
|
Specifies whether to include certificates which are not completely provisioned. Only available for API versions v7.0 and up. If not provided, Key Vault treats this as False. |
Returns
| Type | Description |
|---|---|
|
An iterator-like instance of CertificateProperties |
Exceptions
| Type | Description |
|---|---|
list_properties_of_issuers
Lists properties of the certificate issuers for the key vault.
Requires the certificates/manageissuers/getissuers permission.
list_properties_of_issuers(**kwargs: Any) -> AsyncItemPaged[IssuerProperties]Returns
| Type | Description |
|---|---|
|
An iterator-like instance of Issuers |
Exceptions
| Type | Description |
|---|---|
merge_certificate
Merges a certificate or a certificate chain with a key pair existing on the server.
Requires the certificates/create permission. Performs the merging of a certificate or certificate chain with a key pair currently available in the service. Make sure when creating the certificate to merge using <xref:azure.keyvault.certificates.aio.begin_create_certificate> that you set its issuer to 'Unknown'. This way Key Vault knows that the certificate will not be signed by an issuer known to it.
async merge_certificate(certificate_name: str, x509_certificates: List[bytes], **kwargs: Any) -> KeyVaultCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate |
|
x509_certificates
Required
|
The certificate or the certificate chain to merge. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
enabled
|
Whether the certificate is enabled for use. |
|
tags
|
Application specific metadata in the form of key-value pairs. |
Returns
| Type | Description |
|---|---|
|
The merged certificate operation |
Exceptions
| Type | Description |
|---|---|
purge_deleted_certificate
Permanently deletes a deleted certificate. Possible only in vaults with soft-delete enabled.
Requires certificates/purge permission. Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a certificate before its scheduled_purge_date.
async purge_deleted_certificate(certificate_name: str, **kwargs: Any) -> NoneParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate |
Returns
| Type | Description |
|---|---|
|
None |
Exceptions
| Type | Description |
|---|---|
recover_deleted_certificate
Recover a deleted certificate to its latest version. Possible only in a vault with soft-delete enabled.
Requires certificates/recover permission. If the vault does not have soft-delete enabled, delete_certificate is permanent, and this method will raise an error. Attempting to recover a non-deleted certificate will also raise an error.
async recover_deleted_certificate(certificate_name: str, **kwargs: Any) -> KeyVaultCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the deleted certificate |
Returns
| Type | Description |
|---|---|
|
The recovered certificate |
Exceptions
| Type | Description |
|---|---|
restore_certificate_backup
Restore a certificate backup to the vault. Requires certificates/restore permission.
This restores all versions of the certificate, with its name, attributes, and access control policies. If the certificate's name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.
async restore_certificate_backup(backup: bytes, **kwargs: Any) -> KeyVaultCertificateParameters
| Name | Description |
|---|---|
|
backup
Required
|
The backup blob associated with a certificate bundle. |
Returns
| Type | Description |
|---|---|
|
The restored KeyVaultCertificate |
Exceptions
| Type | Description |
|---|---|
send_request
Runs a network request using the client's existing pipeline.
The request URL can be relative to the vault URL. The service API version used for the request is the same as the client's unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request.
async send_request(request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> Awaitable[AsyncHttpResponse]Parameters
| Name | Description |
|---|---|
|
request
Required
|
The network request you want to make. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
stream
|
Whether the response payload will be streamed. Defaults to False. |
Returns
| Type | Description |
|---|---|
|
The response of your network call. Does not do error handling on your response. |
Exceptions
| Type | Description |
|---|---|
|
the former if the certificate doesn't exist; the latter for other errors |
set_contacts
Sets the certificate contacts for the key vault. Requires certificates/managecontacts permission.
async set_contacts(contacts: List[CertificateContact], **kwargs: Any) -> List[CertificateContact]Parameters
| Name | Description |
|---|---|
|
contacts
Required
|
The contact list for the vault certificates. |
Returns
| Type | Description |
|---|---|
|
The created list of contacts |
Exceptions
| Type | Description |
|---|---|
update_certificate_policy
Updates the policy for a certificate. Requires certificates/update permission.
Set specified members in the certificate policy. Leaves others as null.
async update_certificate_policy(certificate_name: str, policy: CertificatePolicy, **kwargs: Any) -> CertificatePolicyParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate in the given vault. |
|
policy
Required
|
The policy for the certificate. |
Returns
| Type | Description |
|---|---|
|
The certificate policy |
Exceptions
| Type | Description |
|---|---|
update_certificate_properties
Change a certificate's properties. Requires certificates/update permission.
async update_certificate_properties(certificate_name: str, version: str | None = None, **kwargs: Any) -> KeyVaultCertificateParameters
| Name | Description |
|---|---|
|
certificate_name
Required
|
The name of the certificate in the given key vault. |
|
version
Required
|
The version of the certificate. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
enabled
|
Whether the certificate is enabled for use. |
|
tags
|
Application specific metadata in the form of key-value pairs. |
Returns
| Type | Description |
|---|---|
|
The updated KeyVaultCertificate |
Exceptions
| Type | Description |
|---|---|
update_issuer
Updates the specified certificate issuer. Requires certificates/setissuers permission.
async update_issuer(issuer_name: str, **kwargs: Any) -> CertificateIssuerParameters
| Name | Description |
|---|---|
|
issuer_name
Required
|
The name of the issuer. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
enabled
|
Whether the issuer is enabled for use. |
|
provider
|
The issuer provider |
|
account_id
|
The user name/account name/account id. |
|
password
|
The password/secret/account key. |
|
organization_id
|
Id of the organization |
|
admin_contacts
|
Contact details of the organization administrators of the certificate issuer |
Returns
| Type | Description |
|---|---|
|
The updated issuer |
Exceptions
| Type | Description |
|---|---|
Attributes
vault_url
Azure SDK for Python
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for