Import Certificate

Service:: Key Vault

API Version:: 2016-10-01

Imports a certificate into a specified key vault.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates.

Following is an example of a supported PEM file format. The file must contain the private key and at least one of x509 certificate corresponding to the private key of the x509 certificate chain.

   -----BEGIN PRIVATE KEY-----
       ...
   -----END PRIVATE KEY-----

   -----BEGIN CERTIFICATE-----
       ...
   -----END CERTIFICATE-----

   -----BEGIN CERTIFICATE-----
       ...
   -----END CERTIFICATE-----

The private key may be encrypted in which case the private key will be inside encrypted private key markers as follows:

  -----BEGIN ENCRYPTED PRIVATE KEY-----
       ...
  -----END ENCRYPTED PRIVATE KEY-----

The following PBE SHA1 encryption algorithms, outlined in RFC7292 - PKCS #12, are supported with an encrypted private key:

pbeWithSha1And128BitRc2
pbeWithSha1And128BitRc4
pbeWithSha1And2KeyTripleDes
pbeWithSha1And3KeyTripleDes
pbeWithSha1And40BitRc2
pbeWithSha1And40BitRc

Policy is optional and assumes import of a PFX file. If importing a PEM file, specify the contentType as application/x-pem-file.

[!NOTE] When a certificate is imported without a specified policy or with a policy that does not have issuer or lifetime action fields specified, the issuer field is set to unknown and the lifetime actions field is set to EmailContacts. This policy can be modified to AutoRenew with a named issuer by patching the policy.

See Common parameters and headers for headers and parameters that are used by all requests.

In your request:

Replace {certificate-name} with the name of the certificate you want created.

For more information, see About keys, secrets, and certificates and Authentication, requests and responses.

POST https://{vaultBaseUrl}/certificates/{certificate-name}/import?api-version={api-version}

URI Parameters

Name In Required Type Description

Name	In	Required	Type	Description
vaultBaseUrl	path	True	string	The vault name, for example https://myvault.vault.azure.net.
certificate-name	path	True	string	The name of the certificate. Regex pattern: `^[0-9a-zA-Z-]+$`
api-version	query	True	string	Use the latest service version, 2016-10-01.

vaultBaseUrl

path

True

string

The vault name, for example https://myvault.vault.azure.net.

certificate-name

path

True

string

The name of the certificate.

Regex pattern: ^[0-9a-zA-Z-]+$

api-version

query

True

string

Use the latest service version, 2016-10-01.

Request Body

Name	Required	Type	Description
attributes		CertificateAttributes	The attributes of the certificate (optional).
policy		CertificatePolicy	The management policy for the certificate.
pwd		string	If the private key in base64EncodedCertificate is encrypted, the password used for encryption.
tags		<string, string>	Application specific metadata in the form of key-value pairs.
value	True	string	Base64 encoded representation of the certificate object to import. This certificate needs to contain the private key.

Responses

Name	Type	Description
200 OK	CertificateBundle	Imported certificate bundle to the vault.
Other Status Codes	KeyVaultError	Key Vault error response describing why the operation failed.

Definitions

Action	The action that will be executed.
CertificateAttributes	The certificate attributes.
CertificateBundle
CertificatePolicy	The management policy for the certificate.
Error	The key vault server error.
IssuerParameters	Parameters for the issuer of the X509 component of a certificate.
KeyProperties	Properties of the key backing a certificate.
KeyVaultError
LifetimeAction	Action and its trigger that will be performed by Key Vault over the lifetime of a certificate.
SecretProperties	Properties of the secret backing a certificate.
SubjectAlternativeNames	The subject alternative names.
Trigger	The condition that will execute the action.
X509CertificateProperties	Properties of the X509 component of a certificate.

Action

The action that will be executed.

Name	Type	Description
action_type	enum: EmailContacts AutoRenew	The type of the action.

CertificateAttributes

The certificate attributes.

Name	Type	Description
created	integer unixtime	Creation time in UTC.
enabled	boolean	Determines whether the object is enabled.
exp	integer unixtime	Expiry date in UTC.
nbf	integer unixtime	Not before date in UTC.
recoveryLevel	enum: Purgeable Recoverable+Purgeable Recoverable Recoverable+ProtectedSubscription	Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.
updated	integer unixtime	Last updated time in UTC.

CertificateBundle

Name	Type	Description
attributes	CertificateAttributes	The certificate attributes.
cer	string byte	CER contents of x509 certificate.
contentType	string	The content type of the secret.
id	string	The certificate id.
kid	string	The key id.
policy	CertificatePolicy	The management policy.
sid	string	The secret id.
tags	<string, string>	Application specific metadata in the form of key-value pairs
x5t	string base64url	Thumbprint of the certificate.

CertificatePolicy

The management policy for the certificate.

Name	Type	Description
attributes	CertificateAttributes	The certificate attributes.
id	string	The certificate id.
issuer	IssuerParameters	Parameters for the issuer of the X509 component of a certificate.
key_props	KeyProperties	Properties of the key backing a certificate.
lifetime_actions	LifetimeAction[]	Actions that will be performed by Key Vault over the lifetime of a certificate.
secret_props	SecretProperties	Properties of the secret backing a certificate.
x509_props	X509CertificateProperties	Properties of the X509 component of a certificate.

Error

The key vault server error.

Name	Type	Description
code	string	The error code.
innererror
message	string	The error message.

IssuerParameters

Parameters for the issuer of the X509 component of a certificate.

Name	Type	Description
cty	string	Type of certificate to be requested from the issuer provider.
name	string	Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'.

KeyProperties

Properties of the key backing a certificate.

Name	Type	Description
exportable	boolean	Indicates if the private key can be exported.
key_size	integer int32	The key size in bytes. For example; 1024 or 2048.
kty	string	The key type.
reuse_key	boolean	Indicates if the same key pair will be used on certificate renewal.

KeyVaultError

Name	Type	Description
error	Error	The key vault server error.

LifetimeAction

Action and its trigger that will be performed by Key Vault over the lifetime of a certificate.

Name	Type	Description
action	Action	The action that will be executed.
trigger	Trigger	The condition that will execute the action.

SecretProperties

Properties of the secret backing a certificate.

Name	Type	Description
contentType	string	The media type (MIME type).

SubjectAlternativeNames

The subject alternative names.

Name	Type	Description
dns_names	string[]	Domain names.
emails	string[]	Email addresses.
upns	string[]	User principal names.

Trigger

The condition that will execute the action.

Name	Type	Description
days_before_expiry	integer int32	Days before expiry.
lifetime_percentage	integer int32	Percentage of lifetime at which to trigger. Value should be between 1 and 99.

X509CertificateProperties

Properties of the X509 component of a certificate.

Name	Type	Description
ekus	string[]	The enhanced key usage.
key_usage	string[]	List of key usages.
sans	SubjectAlternativeNames	The subject alternative names.
subject	string	The subject name. Should be a valid X509 distinguished Name.
validity_months	integer int32	The duration that the ceritifcate is valid in months.