CertificateClient Class
A high-level interface for managing a vault's certificates.
- Inheritance
-
azure.keyvault.certificates._shared.client_base.KeyVaultClientBaseCertificateClient
Constructor
CertificateClient(vault_url, credential, **kwargs)Parameters
- vault_url
- str
URL of the vault the client will access. This is also called the vault's "DNS Name".
- credential
An object which can provide an access token for the vault, such as a credential from identity
Examples
Create a new CertificateClient
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
# Create a CertificateClient using default Azure credentials
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url=vault_url, credential=credential)
Methods
| backup_certificate |
Back up a certificate in a protected form useable only by Azure Key Vault. Requires certificates/backup permission. This is intended to allow copying a certificate from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region. |
| begin_create_certificate |
Creates a new certificate. If this is the first version, the certificate resource is created. This operation requires the certificates/create permission. The poller requires the certificates/get permission, otherwise raises an HttpResponseError Keyword arguments
|
| begin_delete_certificate |
Delete all versions of a certificate. Requires certificates/delete permission. When this method returns Key Vault has begun deleting the certificate. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete. |
| begin_recover_deleted_certificate |
Recover a deleted certificate to its latest version. Possible only in a vault with soft-delete enabled. Requires certificates/recover permission. When this method returns Key Vault has begun recovering the certificate. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered certificate in another operation immediately. |
| cancel_certificate_operation |
Cancels an in-progress certificate operation. Requires the certificates/update permission. |
| create_issuer |
Sets the specified certificate issuer. Requires certificates/setissuers permission. |
| delete_certificate_operation |
Deletes and stops the creation operation for a specific certificate. Requires the certificates/update permission. |
| delete_contacts |
Deletes the certificate contacts for the key vault. Requires the certificates/managecontacts permission. |
| delete_issuer |
Deletes the specified certificate issuer. Requires certificates/manageissuers/deleteissuers permission. |
| get_certificate |
Gets a certificate with its management policy attached. Requires certificates/get permission. Does not accept the version of the certificate as a parameter. To get a specific version of the certificate, call <xref:azure.keyvault.certificates.get_certificate_version>. |
| get_certificate_operation |
Gets the creation operation of a certificate. Requires the certificates/get permission. |
| get_certificate_policy |
Gets the policy for a certificate. Requires certificates/get permission. Returns the specified certificate policy resources in the key vault. |
| get_certificate_version |
Gets a specific version of a certificate without returning its management policy. Requires certificates/get permission. To get the latest version of the certificate, or to get the certificate's policy as well, call get_certificate. |
| get_contacts |
Gets the certificate contacts for the key vault. Requires the certificates/managecontacts permission. |
| get_deleted_certificate |
Get a deleted certificate. Possible only in a vault with soft-delete enabled. Requires certificates/get permission. Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level. |
| get_issuer |
Gets the specified certificate issuer. Requires certificates/manageissuers/getissuers permission. |
| import_certificate |
Import a certificate created externally. Requires certificates/import permission. Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. |
| list_deleted_certificates |
Lists the currently-recoverable deleted certificates. Possible only if vault is soft-delete enabled. Requires certificates/get/list permission. Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. |
| list_properties_of_certificate_versions |
List the identifiers and properties of a certificate's versions. Requires certificates/list permission. |
| list_properties_of_certificates |
List identifiers and properties of all certificates in the vault. Requires certificates/list permission. |
| list_properties_of_issuers |
Lists properties of the certificate issuers for the key vault. Requires the certificates/manageissuers/getissuers permission. |
| merge_certificate |
Merges a certificate or a certificate chain with a key pair existing on the server. Requires the certificates/create permission. Performs the merging of a certificate or certificate chain with a key pair currently available in the service. Make sure when creating the certificate to merge using begin_create_certificate that you set its issuer to 'Unknown'. This way Key Vault knows that the certificate will not be signed by an issuer known to it. |
| purge_deleted_certificate |
Permanently deletes a deleted certificate. Possible only in vaults with soft-delete enabled. Requires certificates/purge permission. Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a certificate before its scheduled_purge_date. |
| restore_certificate_backup |
Restore a certificate backup to the vault. Requires certificates/restore permission. This restores all versions of the certificate, with its name, attributes, and access control policies. If the certificate's name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault. |
| set_contacts |
Sets the certificate contacts for the key vault. Requires certificates/managecontacts permission. |
| update_certificate_policy |
Updates the policy for a certificate. Requires certificiates/update permission. Set specified members in the certificate policy. Leaves others as null. |
| update_certificate_properties |
Change a certificate's properties. Requires certificates/update permission. |
| update_issuer |
Updates the specified certificate issuer. Requires certificates/setissuers permission. |
backup_certificate
Back up a certificate in a protected form useable only by Azure Key Vault.
Requires certificates/backup permission. This is intended to allow copying a certificate from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.
backup_certificate(certificate_name, **kwargs)Parameters
Returns
The backup blob containing the backed up certificate.
Return type
Exceptions
Examples
Get a certificate backup
# backup certificate
certificate_backup = certificate_client.backup_certificate(cert_name)
# returns the raw bytes of the backed up certificate
print(certificate_backup)
begin_create_certificate
Creates a new certificate.
If this is the first version, the certificate resource is created. This operation requires the certificates/create permission. The poller requires the certificates/get permission, otherwise raises an HttpResponseError
Keyword arguments
enabled (bool) - Determines whether the object is enabled.
tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.
begin_create_certificate(certificate_name, policy, **kwargs)Parameters
- enabled
- bool
Whether the certificate is enabled for use.
Returns
An LROPoller for the create certificate operation. Waiting on the poller gives you the certificate if creation is successful, the CertificateOperation if not.
Return type
Exceptions
Examples
Create a certificate
from azure.keyvault.certificates import CertificatePolicy, CertificateContentType, WellKnownIssuerNames
# specify the certificate policy
cert_policy = CertificatePolicy(
issuer_name=WellKnownIssuerNames.self,
subject="CN=*.microsoft.com",
san_dns_names=["sdk.azure-int.net"],
exportable=True,
key_type="RSA",
key_size=2048,
reuse_key=False,
content_type=CertificateContentType.pkcs12,
validity_in_months=24,
)
cert_name = "cert-name"
# create a certificate with optional arguments, returns a long running operation poller
certificate_operation_poller = certificate_client.begin_create_certificate(
certificate_name=cert_name, policy=cert_policy
)
# Here we are waiting for the certificate creation operation to be completed
certificate = certificate_operation_poller.result()
# You can get the final status of the certificate operation poller using .result()
print(certificate_operation_poller.result())
print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)
begin_delete_certificate
Delete all versions of a certificate. Requires certificates/delete permission.
When this method returns Key Vault has begun deleting the certificate. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
begin_delete_certificate(certificate_name, **kwargs)Parameters
Returns
A poller for the delete certificate operation. The poller's result method returns the DeletedCertificate without waiting for deletion to complete. If the vault has soft-delete enabled and you want to immediately, permanently delete the certificate with <xref:azure.keyvault.certificates.purge_deleted_certificate>, call the poller's wait method first. It will block until the deletion is complete. The wait method requires certificates/get permission.
Return type
Exceptions
Examples
Delete a certificate
# delete a certificate
deleted_certificate = certificate_client.begin_delete_certificate(certificate.name).result()
print(deleted_certificate.name)
# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_on)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)
begin_recover_deleted_certificate
Recover a deleted certificate to its latest version. Possible only in a vault with soft-delete enabled.
Requires certificates/recover permission.
When this method returns Key Vault has begun recovering the certificate. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered certificate in another operation immediately.
begin_recover_deleted_certificate(certificate_name, **kwargs)Parameters
Returns
A poller for the recovery operation. The poller's result method returns the recovered KeyVaultCertificate without waiting for recovery to complete. If you want to use the recovered certificate immediately, call the poller's wait method, which blocks until the certificate is ready to use. The wait method requires certificate/get permission.
Return type
Exceptions
Examples
Recover a deleted certificate
# recover a deleted certificate to its latest version (requires soft-delete enabled for the vault)
recovered_certificate = certificate_client.begin_recover_deleted_certificate(cert_name).result()
print(recovered_certificate.id)
print(recovered_certificate.name)
cancel_certificate_operation
Cancels an in-progress certificate operation. Requires the certificates/update permission.
cancel_certificate_operation(certificate_name, **kwargs)Parameters
Returns
The cancelled certificate operation
Return type
Exceptions
create_issuer
Sets the specified certificate issuer. Requires certificates/setissuers permission.
create_issuer(issuer_name, provider, **kwargs)Parameters
- enabled
- bool
Whether the issuer is enabled for use.
- account_id
- str
The user name/account name/account id.
- password
- str
The password/secret/account key.
- organization_id
- str
Id of the organization
- admin_contacts
- list[AdministratorContact]
Contact details of the organization administrators of the certificate issuer.
Returns
The created CertificateIssuer
Return type
Exceptions
Examples
Create an issuer
from azure.keyvault.certificates import AdministratorContact
# First we specify the AdministratorContact for a issuer.
admin_contacts = [
AdministratorContact(first_name="John", last_name="Doe", email="admin@microsoft.com", phone="4255555555")
]
issuer = certificate_client.create_issuer(
issuer_name="issuer1",
provider="Test",
account_id="keyvaultuser",
admin_contacts=admin_contacts,
enabled=True,
)
print(issuer.name)
print(issuer.provider)
print(issuer.account_id)
for contact in issuer.admin_contacts:
print(contact.first_name)
print(contact.last_name)
print(contact.email)
print(contact.phone)
delete_certificate_operation
Deletes and stops the creation operation for a specific certificate.
Requires the certificates/update permission.
delete_certificate_operation(certificate_name, **kwargs)Parameters
Returns
The deleted CertificateOperation
Return type
Exceptions
delete_contacts
Deletes the certificate contacts for the key vault. Requires the certificates/managecontacts permission.
delete_contacts(**kwargs)Returns
The deleted contacts for the key vault.
Return type
Exceptions
Examples
Delete contacts
deleted_contacts = certificate_client.delete_contacts()
for deleted_contact in deleted_contacts:
print(deleted_contact.name)
print(deleted_contact.email)
print(deleted_contact.phone)
delete_issuer
Deletes the specified certificate issuer.
Requires certificates/manageissuers/deleteissuers permission.
delete_issuer(issuer_name, **kwargs)Parameters
Returns
CertificateIssuer
Return type
Exceptions
Examples
Delete an issuer
deleted_issuer = certificate_client.delete_issuer("issuer1")
print(deleted_issuer.name)
print(deleted_issuer.provider)
print(deleted_issuer.account_id)
for contact in deleted_issuer.admin_contacts:
print(contact.first_name)
print(contact.last_name)
print(contact.email)
print(contact.phone)
get_certificate
Gets a certificate with its management policy attached. Requires certificates/get permission.
Does not accept the version of the certificate as a parameter. To get a specific version of the certificate, call <xref:azure.keyvault.certificates.get_certificate_version>.
get_certificate(certificate_name, **kwargs)Parameters
Returns
An instance of KeyVaultCertificate
Return type
Exceptions
Examples
Get a certificate
# get the certificate
certificate = certificate_client.get_certificate(cert_name)
print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)
get_certificate_operation
Gets the creation operation of a certificate. Requires the certificates/get permission.
get_certificate_operation(certificate_name, **kwargs)Parameters
Returns
The created CertificateOperation
Return type
Exceptions
get_certificate_policy
Gets the policy for a certificate. Requires certificates/get permission.
Returns the specified certificate policy resources in the key vault.
get_certificate_policy(certificate_name, **kwargs)Parameters
Returns
The certificate policy
Return type
Exceptions
get_certificate_version
Gets a specific version of a certificate without returning its management policy.
Requires certificates/get permission. To get the latest version of the certificate, or to get the certificate's policy as well, call get_certificate.
get_certificate_version(certificate_name, version, **kwargs)Parameters
Returns
An instance of KeyVaultCertificate
Return type
Exceptions
Examples
Get a certificate with a specific version
certificate = certificate_client.get_certificate_version(cert_name, version)
print(certificate.id)
print(certificate.properties.version)
get_contacts
Gets the certificate contacts for the key vault. Requires the certificates/managecontacts permission.
get_contacts(**kwargs)Returns
The certificate contacts for the key vault.
Return type
Exceptions
Examples
Get contacts
contacts = certificate_client.get_contacts()
# Loop through the certificate contacts for this key vault.
for contact in contacts:
print(contact.name)
print(contact.email)
print(contact.phone)
get_deleted_certificate
Get a deleted certificate. Possible only in a vault with soft-delete enabled.
Requires certificates/get permission. Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level.
get_deleted_certificate(certificate_name, **kwargs)Parameters
Returns
The deleted certificate
Return type
Exceptions
Examples
Get a deleted certificate
# get a deleted certificate (requires soft-delete enabled for the vault)
deleted_certificate = certificate_client.get_deleted_certificate(cert_name)
print(deleted_certificate.name)
# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_on)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)
get_issuer
Gets the specified certificate issuer. Requires certificates/manageissuers/getissuers permission.
get_issuer(issuer_name, **kwargs)Parameters
Returns
The specified certificate issuer.
Return type
Exceptions
Examples
Get an issuer
issuer = certificate_client.get_issuer("issuer1")
print(issuer.name)
print(issuer.provider)
print(issuer.account_id)
for contact in issuer.admin_contacts:
print(contact.first_name)
print(contact.last_name)
print(contact.email)
print(contact.phone)
import_certificate
Import a certificate created externally. Requires certificates/import permission.
Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates.
import_certificate(certificate_name, certificate_bytes, **kwargs)Parameters
- certificate_bytes
- bytes
Bytes of the certificate object to import. This certificate needs to contain the private key.
- enabled
- bool
Whether the certificate is enabled for use.
- password
- str
If the private key in the passed in certificate is encrypted, it is the password used for encryption.
- policy
- CertificatePolicy
The management policy for the certificate
Returns
The imported KeyVaultCertificate
Return type
Exceptions
list_deleted_certificates
Lists the currently-recoverable deleted certificates. Possible only if vault is soft-delete enabled.
Requires certificates/get/list permission. Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information.
list_deleted_certificates(**kwargs)Parameters
- include_pending
- bool
Specifies whether to include certificates which are not completely deleted.
Returns
An iterator like instance of DeletedCertificate
Return type
Exceptions
Examples
List all the deleted certificates
# get an iterator of deleted certificates (requires soft-delete enabled for the vault)
deleted_certificates = certificate_client.list_deleted_certificates()
for certificate in deleted_certificates:
print(certificate.id)
print(certificate.name)
print(certificate.deleted_on)
print(certificate.scheduled_purge_date)
print(certificate.deleted_on)
list_properties_of_certificate_versions
List the identifiers and properties of a certificate's versions.
Requires certificates/list permission.
list_properties_of_certificate_versions(certificate_name, **kwargs)Parameters
Returns
An iterator like instance of CertificateProperties
Return type
Exceptions
Examples
List all versions of a certificate
# get an iterator of a certificate's versions
certificate_versions = certificate_client.list_properties_of_certificate_versions(certificate_name)
for certificate in certificate_versions:
print(certificate.id)
print(certificate.updated_on)
print(certificate.version)
list_properties_of_certificates
List identifiers and properties of all certificates in the vault.
Requires certificates/list permission.
list_properties_of_certificates(**kwargs)Parameters
- include_pending
- bool
Specifies whether to include certificates which are not completely provisioned.
Returns
An iterator like instance of CertificateProperties
Return type
Exceptions
Examples
List all certificates
# get an iterator of certificates
certificates = certificate_client.list_properties_of_certificates()
for certificate in certificates:
print(certificate.id)
print(certificate.created_on)
print(certificate.name)
print(certificate.updated_on)
print(certificate.enabled)
list_properties_of_issuers
Lists properties of the certificate issuers for the key vault.
Requires the certificates/manageissuers/getissuers permission.
list_properties_of_issuers(**kwargs)Returns
An iterator like instance of Issuers
Return type
Exceptions
Examples
List issuers of a vault
issuers = certificate_client.list_properties_of_issuers()
for issuer in issuers:
print(issuer.name)
print(issuer.provider)
merge_certificate
Merges a certificate or a certificate chain with a key pair existing on the server.
Requires the certificates/create permission. Performs the merging of a certificate or certificate chain with a key pair currently available in the service. Make sure when creating the certificate to merge using begin_create_certificate that you set its issuer to 'Unknown'. This way Key Vault knows that the certificate will not be signed by an issuer known to it.
merge_certificate(certificate_name, x509_certificates, **kwargs)Parameters
- enabled
- bool
Whether the certificate is enabled for use.
Returns
The merged certificate
Return type
Exceptions
purge_deleted_certificate
Permanently deletes a deleted certificate. Possible only in vaults with soft-delete enabled.
Requires certificates/purge permission.
Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a certificate before its scheduled_purge_date.
purge_deleted_certificate(certificate_name, **kwargs)Parameters
Returns
None
Return type
Exceptions
restore_certificate_backup
Restore a certificate backup to the vault. Requires certificates/restore permission.
This restores all versions of the certificate, with its name, attributes, and access control policies. If the certificate's name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.
restore_certificate_backup(backup, **kwargs)Parameters
Returns
The restored KeyVaultCertificate
Return type
Exceptions
Examples
Restore a certificate backup
# restore a certificate backup
restored_certificate = certificate_client.restore_certificate_backup(certificate_backup)
print(restored_certificate.id)
print(restored_certificate.name)
print(restored_certificate.properties.version)
set_contacts
Sets the certificate contacts for the key vault. Requires certificates/managecontacts permission.
set_contacts(contacts, **kwargs)Parameters
Returns
The created list of contacts
Return type
Exceptions
Examples
Create contacts
from azure.keyvault.certificates import CertificateContact
# Create a list of the contacts that you want to set for this key vault.
contact_list = [
CertificateContact(email="admin@contoso.com", name="John Doe", phone="1111111111"),
CertificateContact(email="admin2@contoso.com", name="John Doe2", phone="2222222222"),
]
contacts = certificate_client.set_contacts(contact_list)
for contact in contacts:
print(contact.name)
print(contact.email)
print(contact.phone)
update_certificate_policy
Updates the policy for a certificate. Requires certificiates/update permission.
Set specified members in the certificate policy. Leaves others as null.
update_certificate_policy(certificate_name, policy, **kwargs)Parameters
Returns
The certificate policy
Return type
Exceptions
update_certificate_properties
Change a certificate's properties. Requires certificates/update permission.
update_certificate_properties(certificate_name, version=None, **kwargs)Parameters
- enabled
- bool
Whether the certificate is enabled for use.
Returns
The updated KeyVaultCertificate
Return type
Exceptions
Examples
Update a certificate's attributes
# update attributes of an existing certificate
tags = {"foo": "updated tag"}
updated_certificate = certificate_client.update_certificate_properties(
certificate_name=certificate.name, tags=tags
)
print(updated_certificate.properties.version)
print(updated_certificate.properties.updated_on)
print(updated_certificate.properties.tags)
update_issuer
Updates the specified certificate issuer. Requires certificates/setissuers permission.
update_issuer(issuer_name, **kwargs)Parameters
- enabled
- bool
Whether the issuer is enabled for use.
- provider
- str
The issuer provider
- account_id
- str
The user name/account name/account id.
- password
- str
The password/secret/account key.
- organization_id
- str
Id of the organization
- admin_contacts
- list[AdministratorContact]
Contact details of the organization administrators of the certificate issuer
Returns
The updated issuer