Quickstart: Azure Key Vault certificate client library for JavaScript (version 4)

Get started with the Azure Key Vault certificate client library for JavaScript. Azure Key Vault is a cloud service that provides a secure store for certificates. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal. In this quickstart, you learn how to create, retrieve, and delete certificates from an Azure key vault using the JavaScript client library

Key Vault client library resources:

API reference documentation | Library source code | Package (npm)

For more information about Key Vault and certificates, see:

• Key Vault Overview
• Certificates Overview

Prerequisites

• An Azure subscription - create one for free.
• Current Node.js LTS.
• Azure CLI
• An existing Key Vault - you can create one using:
  • Azure CLI
  • Azure portal
  • Azure PowerShell

This quickstart assumes you are running Azure CLI.

Sign in to Azure

1. Run the login command.

   az login
   

   If the CLI can open your default browser, it will do so and load an Azure sign-in page.

   Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.

2. Sign in with your account credentials in the browser.

Create new Node.js application

Create a Node.js application that uses your key vault.

1. In a terminal, create a folder named key-vault-node-app and change into that folder:

   mkdir key-vault-node-app && cd key-vault-node-app
   

2. Initialize the Node.js project:

   npm init -y
   

Install Key Vault packages

1. Using the terminal, install the Azure Key Vault secrets library, @azure/keyvault-certificates for Node.js.

   npm install @azure/keyvault-certificates
   

2. Install the Azure Identity library, @azure/identity package to authenticate to a Key Vault.

   npm install @azure/identity
   

Grant access to your key vault

Create an access policy for your key vault that grants key permissions to your user account

az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --key-permissions delete get list create purge

Set environment variables

This application is using key vault name as an environment variable called KEY_VAULT_NAME.

Windows

set KEY_VAULT_NAME=<your-key-vault-name>

Windows PowerShell

$Env:KEY_VAULT_NAME="<your-key-vault-name>"

macOS or Linux

export KEY_VAULT_NAME=<your-key-vault-name>

Code example

The code samples below will show you how to create a client, set a certificate, retrieve a certificate, and delete a certificate.

Set up the app framework

1. Create new text file and paste the following code into the index.js file.

   const { CertificateClient, DefaultCertificatePolicy } = require("@azure/keyvault-certificates");
   const { DefaultAzureCredential } = require("@azure/identity");
   
   async function main() {
     // If you're using MSI, DefaultAzureCredential should "just work".
     // Otherwise, DefaultAzureCredential expects the following three environment variables:
     // - AZURE_TENANT_ID: The tenant ID in Azure Active Directory
     // - AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant
     // - AZURE_CLIENT_SECRET: The client secret for the registered application
     const url = process.env["AZURE_KEY_VAULT_URI"] || "<keyvault-url>";
     const credential = new DefaultAzureCredential();
   
     const keyVaultName = process.env["KEY_VAULT_NAME"];
     const url = "https://" + keyVaultName + ".vault.azure.net";
   
     const client = new CertificateClient(url, credential);
   
     const uniqueString = new Date().getTime();
     const certificateName = `cert${uniqueString}`;
   
     // Creating a self-signed certificate
     const createPoller = await client.beginCreateCertificate(
       certificateName,
       DefaultCertificatePolicy
     );
   
     const pendingCertificate = createPoller.getResult();
     console.log("Certificate: ", pendingCertificate);
   
     // To read a certificate with their policy:
     let certificateWithPolicy = await client.getCertificate(certificateName);
     // Note: It will always read the latest version of the certificate.
   
     console.log("Certificate with policy:", certificateWithPolicy);
   
     // To read a certificate from a specific version:
     const certificateFromVersion = await client.getCertificateVersion(
       certificateName,
       certificateWithPolicy.properties.version
     );
     // Note: It will not retrieve the certificate's policy.
     console.log("Certificate from a specific version:", certificateFromVersion);
   
     const updatedCertificate = await client.updateCertificateProperties(certificateName, "", {
       tags: {
         customTag: "value"
       }
     });
     console.log("Updated certificate:", updatedCertificate);
   
     // Updating the certificate's policy:
     await client.updateCertificatePolicy(certificateName, {
       issuerName: "Self",
       subject: "cn=MyOtherCert"
     });
     certificateWithPolicy = await client.getCertificate(certificateName);
     console.log("updatedCertificate certificate's policy:", certificateWithPolicy.policy);
   
     // delete certificate
     const deletePoller = await client.beginDeleteCertificate(certificateName);
     const deletedCertificate = await deletePoller.pollUntilDone();
     console.log("Recovery Id: ", deletedCertificate.recoveryId);
     console.log("Deleted Date: ", deletedCertificate.deletedOn);
     console.log("Scheduled Purge Date: ", deletedCertificate.scheduledPurgeDate);
   }
   
   main().catch((error) => {
     console.error("An error occurred:", error);
     process.exit(1);
   });
   

Run the sample application

1. Run the app:

   node index.js
   

2. The create and get methods return a full JSON object for the certificate:

   {
     "keyId": undefined,
     "secretId": undefined,
     "name": "YOUR-CERTIFICATE-NAME",
       "reuseKey": false,
       "keyCurveName": undefined,
       "exportable": true,
       "issuerName": 'Self',
       "certificateType": undefined,
       "certificateTransparency": undefined
     },
     "properties": {
       "createdOn": 2021-11-29T20:17:45.000Z,
       "updatedOn": 2021-11-29T20:17:45.000Z,
       "expiresOn": 2022-11-29T20:17:45.000Z,
       "id": "https://YOUR-KEY-VAULT-NAME.vault.azure.net/certificates/YOUR-CERTIFICATE-NAME/YOUR-CERTIFICATE-VERSION",
       "enabled": false,
       "notBefore": 2021-11-29T20:07:45.000Z,
       "recoveryLevel": "Recoverable+Purgeable",
       "name": "YOUR-CERTIFICATE-NAME",
       "vaultUrl": "https://YOUR-KEY-VAULT-NAME.vault.azure.net",
       "version": "YOUR-CERTIFICATE-VERSION",
       "tags": undefined,
       "x509Thumbprint": undefined,
       "recoverableDays": 90
     }
   }
   

Integrating with App Configuration

The Azure SDK provides a helper method, parseKeyVaultCertificateIdentifier, to parse the given Key Vault certificate ID. This is necessary if you use App Configuration references to Key Vault. App Config stores the Key Vault certificate ID. You need the parseKeyVaultCertificateIdentifier method to parse that ID to get the certificate name. Once you have the certificate name, you can get the current certificate using code from this quickstart.

Next steps

In this quickstart, you created a key vault, stored a certificate, and retrieved that certificate. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.

• Read an Overview of Azure Key Vault
• Read an Overview of certificates
• See an Access Key Vault from App Service Application Tutorial
• See an Access Key Vault from Virtual Machine Tutorial
• See the Azure Key Vault developer's guide
• Review the Key Vault security overview