azure.keyvault.certificates package

Submodules

azure.keyvault.certificates.client module

azure.keyvault.certificates.enums module

azure.keyvault.certificates.models module

Module contents

class azure.keyvault.certificates.CertificatePolicyAction[source]

Bases: str, enum.Enum

The supported action types for the lifetime of a certificate

auto_renew = 'AutoRenew'
email_contacts = 'EmailContacts'
class azure.keyvault.certificates.AdministratorContact(first_name=None, last_name=None, email=None, phone=None)[source]

Bases: object

Details of the organization administrator of the certificate issuer.

Parameters:
  • first_name (str) – First name of the issuer.
  • last_name (str) – Last name of the issuer.
  • email (str) – email of the issuer.
  • phone (str) – phone number of the issuer.
email

str

Type:rtype
first_name

str

Type:rtype
last_name

str

Type:rtype
phone

str

Type:rtype
class azure.keyvault.certificates.CertificateClient(vault_url, credential, **kwargs)[source]

Bases: azure.keyvault.certificates._shared.client_base.KeyVaultClientBase

A high-level interface for managing a vault’s certificates.

Parameters:
  • vault_url (str) – URL of the vault the client will access. This is also called the vault’s “DNS Name”.
  • credential – An object which can provide an access token for the vault, such as a credential from azure.identity
Keyword Arguments:
 
  • api_version (str) – version of the Key Vault API to use. Defaults to the most recent.
  • transport (HttpTransport) – transport to use. Defaults to RequestsTransport.

Example

Create a new CertificateClient

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

# Create a CertificateClient using default Azure credentials
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url=vault_url, credential=credential)

backup_certificate(certificate_name, **kwargs)[source]

Back up a certificate in a protected form useable only by Azure Key Vault.

Requires certificates/backup permission. This is intended to allow copying a certificate from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.

Parameters:certificate_name (str) – The name of the certificate.
Returns:The backup blob containing the backed up certificate.
Return type:bytes
Raises:ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate backup

# backup certificate
certificate_backup = certificate_client.backup_certificate(cert_name)

# returns the raw bytes of the backed up certificate
print(certificate_backup)

begin_create_certificate(certificate_name, policy, **kwargs)[source]

Creates a new certificate.

If this is the first version, the certificate resource is created. This operation requires the certificates/create permission. The poller requires the certificates/get permission, otherwise raises an HttpResponseError

Parameters:
  • certificate_name (str) – The name of the certificate.
  • policy (CertificatePolicy) – The management policy for the certificate.
Keyword Arguments:
 
  • enabled (bool) – Whether the certificate is enabled for use.
  • tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
Returns:

An LROPoller for the create certificate operation. Waiting on the poller gives you the certificate if creation is successful, the CertificateOperation if not.

Return type:

LROPoller[KeyVaultCertificate or CertificateOperation]

Raises:

HttpResponseError

Keyword arguments
  • enabled (bool) - Determines whether the object is enabled.
  • tags (dict[str, str]) - Application specific metadata in the form of key-value pairs.

Example

Create a certificate
from azure.keyvault.certificates import CertificatePolicy, CertificateContentType, WellKnownIssuerNames

# specify the certificate policy
cert_policy = CertificatePolicy(
    issuer_name=WellKnownIssuerNames.self,
    subject="CN=*.microsoft.com",
    san_dns_names=["sdk.azure-int.net"],
    exportable=True,
    key_type="RSA",
    key_size=2048,
    reuse_key=False,
    content_type=CertificateContentType.pkcs12,
    validity_in_months=24,
)

cert_name = "cert-name"
# create a certificate with optional arguments, returns a long running operation poller
certificate_operation_poller = certificate_client.begin_create_certificate(
    certificate_name=cert_name, policy=cert_policy
)

# Here we are waiting for the certificate creation operation to be completed
certificate = certificate_operation_poller.result()

# You can get the final status of the certificate operation poller using .result()
print(certificate_operation_poller.result())

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

begin_delete_certificate(certificate_name, **kwargs)[source]

Delete all versions of a certificate. Requires certificates/delete permission.

When this method returns Key Vault has begun deleting the certificate. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.

Parameters:certificate_name (str) – The name of the certificate to delete.
Returns:A poller for the delete certificate operation. The poller’s result method returns the DeletedCertificate without waiting for deletion to complete. If the vault has soft-delete enabled and you want to immediately, permanently delete the certificate with purge_deleted_certificate(), call the poller’s wait method first. It will block until the deletion is complete. The wait method requires certificates/get permission.
Return type:LROPoller[DeletedCertificate]
Raises:ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Delete a certificate

# delete a certificate
deleted_certificate = certificate_client.begin_delete_certificate(certificate.name).result()

print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_on)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

begin_recover_deleted_certificate(certificate_name, **kwargs)[source]

Recover a deleted certificate to its latest version. Possible only in a vault with soft-delete enabled.

Requires certificates/recover permission.

When this method returns Key Vault has begun recovering the certificate. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered certificate in another operation immediately.

Parameters:certificate_name (str) – The name of the deleted certificate to recover
Returns:A poller for the recovery operation. The poller’s result method returns the recovered KeyVaultCertificate without waiting for recovery to complete. If you want to use the recovered certificate immediately, call the poller’s wait method, which blocks until the certificate is ready to use. The wait method requires certificate/get permission.
Return type:LROPoller[KeyVaultCertificate]
Raises:HttpResponseError

Example

Recover a deleted certificate

# recover a deleted certificate to its latest version (requires soft-delete enabled for the vault)
recovered_certificate = certificate_client.begin_recover_deleted_certificate(cert_name).result()

print(recovered_certificate.id)
print(recovered_certificate.name)

cancel_certificate_operation(certificate_name, **kwargs)[source]

Cancels an in-progress certificate operation. Requires the certificates/update permission.

Parameters:certificate_name (str) – The name of the certificate.
Returns:The cancelled certificate operation
Return type:CertificateOperation
Raises:HttpResponseError
create_issuer(issuer_name, provider, **kwargs)[source]

Sets the specified certificate issuer. Requires certificates/setissuers permission.

Parameters:
  • issuer_name (str) – The name of the issuer.
  • provider (str) – The issuer provider.
Keyword Arguments:
 
  • enabled (bool) – Whether the issuer is enabled for use.
  • account_id (str) – The user name/account name/account id.
  • password (str) – The password/secret/account key.
  • organization_id (str) – Id of the organization
  • admin_contacts (list[AdministratorContact]) – Contact details of the organization administrators of the certificate issuer.
Returns:

The created CertificateIssuer

Return type:

CertificateIssuer

Raises:

HttpResponseError

Example

Create an issuer
from azure.keyvault.certificates import AdministratorContact

# First we specify the AdministratorContact for a issuer.
admin_contacts = [
    AdministratorContact(first_name="John", last_name="Doe", email="admin@microsoft.com", phone="4255555555")
]

issuer = certificate_client.create_issuer(
    issuer_name="issuer1", provider="Test", account_id="keyvaultuser", admin_contacts=admin_contacts, enabled=True
)

print(issuer.name)
print(issuer.provider)
print(issuer.account_id)

for contact in issuer.admin_contacts:
    print(contact.first_name)
    print(contact.last_name)
    print(contact.email)
    print(contact.phone)

delete_certificate_operation(certificate_name, **kwargs)[source]

Deletes and stops the creation operation for a specific certificate.

Requires the certificates/update permission.

Parameters:certificate_name (str) – The name of the certificate.
Returns:The deleted CertificateOperation
Return type:CertificateOperation
Raises:HttpResponseError
delete_contacts(**kwargs)[source]

Deletes the certificate contacts for the key vault. Requires the certificates/managecontacts permission.

Returns:The deleted contacts for the key vault.
Return type:list[CertificateContact]
Raises:HttpResponseError

Example

Delete contacts

deleted_contacts = certificate_client.delete_contacts()

for deleted_contact in deleted_contacts:
    print(deleted_contact.name)
    print(deleted_contact.email)
    print(deleted_contact.phone)

delete_issuer(issuer_name, **kwargs)[source]

Deletes the specified certificate issuer.

Requires certificates/manageissuers/deleteissuers permission.

Parameters:issuer_name (str) – The name of the issuer.
Returns:CertificateIssuer
Return type:CertificateIssuer
Raises:HttpResponseError

Example

Delete an issuer

deleted_issuer = certificate_client.delete_issuer("issuer1")

print(deleted_issuer.name)
print(deleted_issuer.provider)
print(deleted_issuer.account_id)

for contact in deleted_issuer.admin_contacts:
    print(contact.first_name)
    print(contact.last_name)
    print(contact.email)
    print(contact.phone)

get_certificate(certificate_name, **kwargs)[source]

Gets a certificate with its management policy attached. Requires certificates/get permission.

Does not accept the version of the certificate as a parameter. To get a specific version of the certificate, call get_certificate_version().

Parameters:certificate_name (str) – The name of the certificate in the given vault.
Returns:An instance of KeyVaultCertificate
Return type:KeyVaultCertificate
Raises:ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the certificate
certificate = certificate_client.get_certificate(cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

get_certificate_operation(certificate_name, **kwargs)[source]

Gets the creation operation of a certificate. Requires the certificates/get permission.

Parameters:certificate_name (str) – The name of the certificate.
Returns:The created CertificateOperation
Return type:CertificateOperation
Raises:ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors
get_certificate_policy(certificate_name, **kwargs)[source]

Gets the policy for a certificate. Requires certificates/get permission.

Returns the specified certificate policy resources in the key vault.

Parameters:certificate_name (str) – The name of the certificate in a given key vault.
Returns:The certificate policy
Return type:CertificatePolicy
Raises:HttpResponseError
get_certificate_version(certificate_name, version, **kwargs)[source]

Gets a specific version of a certificate without returning its management policy.

Requires certificates/get permission. To get the latest version of the certificate, or to get the certificate’s policy as well, call get_certificate().

Parameters:
  • certificate_name (str) – The name of the certificate in the given vault.
  • version (str) – The version of the certificate.
Returns:

An instance of KeyVaultCertificate

Return type:

KeyVaultCertificate

Raises:

ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a certificate

# get the certificate
certificate = certificate_client.get_certificate(cert_name)

print(certificate.id)
print(certificate.name)
print(certificate.policy.issuer_name)

get_contacts(**kwargs)[source]

Gets the certificate contacts for the key vault. Requires the certificates/managecontacts permission.

Returns:The certificate contacts for the key vault.
Return type:list[CertificateContact]
Raises:HttpResponseError

Example

Get contacts

contacts = certificate_client.get_contacts()

# Loop through the certificate contacts for this key vault.
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

get_deleted_certificate(certificate_name, **kwargs)[source]

Get a deleted certificate. Possible only in a vault with soft-delete enabled.

Requires certificates/get permission. Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level.

Parameters:certificate_name (str) – The name of the certificate.
Returns:The deleted certificate
Return type:DeletedCertificate
Raises:ResourceNotFoundError if the certificate doesn’t exist, HttpResponseError for other errors

Example

Get a deleted certificate

# get a deleted certificate (requires soft-delete enabled for the vault)
deleted_certificate = certificate_client.get_deleted_certificate(cert_name)
print(deleted_certificate.name)

# if the vault has soft-delete enabled, the certificate's deleted date,
# scheduled purge date, and recovery id are available
print(deleted_certificate.deleted_on)
print(deleted_certificate.scheduled_purge_date)
print(deleted_certificate.recovery_id)

get_issuer(issuer_name, **kwargs)[source]

Gets the specified certificate issuer. Requires certificates/manageissuers/getissuers permission.

Parameters:issuer_name (str) – The name of the issuer.
Returns:The specified certificate issuer.
Return type:CertificateIssuer
Raises:ResourceNotFoundError if the issuer doesn’t exist, HttpResponseError for other errors

Example

Get an issuer

issuer = certificate_client.get_issuer("issuer1")

print(issuer.name)
print(issuer.provider)
print(issuer.account_id)

for contact in issuer.admin_contacts:
    print(contact.first_name)
    print(contact.last_name)
    print(contact.email)
    print(contact.phone)

import_certificate(certificate_name, certificate_bytes, **kwargs)[source]

Import a certificate created externally. Requires certificates/import permission.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates.

Parameters:
  • certificate_name (str) – The name of the certificate.
  • certificate_bytes (bytes) – Bytes of the certificate object to import. This certificate needs to contain the private key.
Keyword Arguments:
 
  • enabled (bool) – Whether the certificate is enabled for use.
  • tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
  • password (str) – If the private key in the passed in certificate is encrypted, it is the password used for encryption.
  • policy (CertificatePolicy) – The management policy for the certificate
Returns:

The imported KeyVaultCertificate

Return type:

KeyVaultCertificate

Raises:

HttpResponseError

list_deleted_certificates(**kwargs)[source]

Lists the currently-recoverable deleted certificates. Possible only if vault is soft-delete enabled.

Requires certificates/get/list permission. Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information.

Keyword Arguments:
 include_pending (bool) – Specifies whether to include certificates which are not completely deleted.
Returns:An iterator like instance of DeletedCertificate
Return type:ItemPaged[DeletedCertificate]
Raises:HttpResponseError

Example

List all the deleted certificates

# get an iterator of deleted certificates (requires soft-delete enabled for the vault)
deleted_certificates = certificate_client.list_deleted_certificates()

for certificate in deleted_certificates:
    print(certificate.id)
    print(certificate.name)
    print(certificate.deleted_on)
    print(certificate.scheduled_purge_date)
    print(certificate.deleted_on)

list_properties_of_certificate_versions(certificate_name, **kwargs)[source]

List the identifiers and properties of a certificate’s versions.

Requires certificates/list permission.

Parameters:certificate_name (str) – The name of the certificate.
Returns:An iterator like instance of CertificateProperties
Return type:ItemPaged[CertificateProperties]
Raises:HttpResponseError

Example

List all versions of a certificate

# get an iterator of a certificate's versions
certificate_versions = certificate_client.list_properties_of_certificate_versions("certificate-name")

for certificate in certificate_versions:
    print(certificate.id)
    print(certificate.updated_on)
    print(certificate.version)

list_properties_of_certificates(**kwargs)[source]

List identifiers and properties of all certificates in the vault.

Requires certificates/list permission.

Keyword Arguments:
 include_pending (bool) – Specifies whether to include certificates which are not completely provisioned.
Returns:An iterator like instance of CertificateProperties
Return type:ItemPaged[CertificateProperties]
Raises:HttpResponseError

Example

List all certificates

# get an iterator of certificates
certificates = certificate_client.list_properties_of_certificates()

for certificate in certificates:
    print(certificate.id)
    print(certificate.created_on)
    print(certificate.name)
    print(certificate.updated_on)
    print(certificate.enabled)

list_properties_of_issuers(**kwargs)[source]

Lists properties of the certificate issuers for the key vault.

Requires the certificates/manageissuers/getissuers permission.

Returns:An iterator like instance of Issuers
Return type:ItemPaged[CertificateIssuer]
Raises:HttpResponseError

Example

List issuers of a vault

issuers = certificate_client.list_properties_of_issuers()

for issuer in issuers:
    print(issuer.name)
    print(issuer.provider)

merge_certificate(certificate_name, x509_certificates, **kwargs)[source]

Merges a certificate or a certificate chain with a key pair existing on the server.

Requires the certificates/create permission. Performs the merging of a certificate or certificate chain with a key pair currently available in the service. Make sure when creating the certificate to merge using begin_create_certificate() that you set its issuer to ‘Unknown’. This way Key Vault knows that the certificate will not be signed by an issuer known to it.

Parameters:
  • certificate_name (str) – The name of the certificate
  • x509_certificates (list[bytes]) – The certificate or the certificate chain to merge.
Keyword Arguments:
 
  • enabled (bool) – Whether the certificate is enabled for use.
  • tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
Returns:

The merged certificate

Return type:

KeyVaultCertificate

Raises:

HttpResponseError

purge_deleted_certificate(certificate_name, **kwargs)[source]

Permanently deletes a deleted certificate. Possible only in vaults with soft-delete enabled.

Requires certificates/purge permission.

Performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery_level does not specify ‘Purgeable’. This method is only necessary for purging a certificate before its scheduled_purge_date.

Parameters:certificate_name (str) – The name of the certificate
Returns:None
Return type:None
Raises:HttpResponseError
restore_certificate_backup(backup, **kwargs)[source]

Restore a certificate backup to the vault. Requires certificates/restore permission.

This restores all versions of the certificate, with its name, attributes, and access control policies. If the certificate’s name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.

Parameters:backup (bytes) – The backup blob associated with a certificate bundle.
Returns:The restored KeyVaultCertificate
Return type:KeyVaultCertificate
Raises:HttpResponseError

Example

Restore a certificate backup

# restore a certificate backup
restored_certificate = certificate_client.restore_certificate_backup(certificate_backup)

print(restored_certificate.id)
print(restored_certificate.name)
print(restored_certificate.properties.version)

set_contacts(contacts, **kwargs)[source]

Sets the certificate contacts for the key vault. Requires certificates/managecontacts permission.

Parameters:contacts (list[CertificateContact]) – The contact list for the vault certificates.
Returns:The created list of contacts
Return type:list[CertificateContact]
Raises:HttpResponseError

Example

Create contacts
from azure.keyvault.certificates import CertificateContact
# Create a list of the contacts that you want to set for this key vault.
contact_list = [
    CertificateContact(email="admin@contoso.com", name="John Doe", phone="1111111111"),
    CertificateContact(email="admin2@contoso.com", name="John Doe2", phone="2222222222"),
]

contacts = certificate_client.set_contacts(contact_list)
for contact in contacts:
    print(contact.name)
    print(contact.email)
    print(contact.phone)

update_certificate_policy(certificate_name, policy, **kwargs)[source]

Updates the policy for a certificate. Requires certificiates/update permission.

Set specified members in the certificate policy. Leaves others as null.

Parameters:
  • certificate_name (str) – The name of the certificate in the given vault.
  • policy (CertificatePolicy) – The policy for the certificate.
Returns:

The certificate policy

Return type:

CertificatePolicy

Raises:

HttpResponseError

update_certificate_properties(certificate_name, version=None, **kwargs)[source]

Change a certificate’s properties. Requires certificates/update permission.

Parameters:
  • certificate_name (str) – The name of the certificate in the given key vault.
  • version (str) – The version of the certificate.
Keyword Arguments:
 
  • enabled (bool) – Whether the certificate is enabled for use.
  • tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
Returns:

The updated KeyVaultCertificate

Return type:

KeyVaultCertificate

Raises:

HttpResponseError

Example

Update a certificate’s attributes

# update attributes of an existing certificate
tags = {"foo": "updated tag"}
updated_certificate = certificate_client.update_certificate_properties(
    certificate_name=certificate.name, tags=tags
)

print(updated_certificate.properties.version)
print(updated_certificate.properties.updated_on)
print(updated_certificate.properties.tags)

update_issuer(issuer_name, **kwargs)[source]

Updates the specified certificate issuer. Requires certificates/setissuers permission.

Parameters:

issuer_name (str) – The name of the issuer.

Keyword Arguments:
 
  • enabled (bool) – Whether the issuer is enabled for use.
  • provider (str) – The issuer provider
  • account_id (str) – The user name/account name/account id.
  • password (str) – The password/secret/account key.
  • organization_id (str) – Id of the organization
  • admin_contacts (list[AdministratorContact]) – Contact details of the organization administrators of the certificate issuer
Returns:

The updated issuer

Return type:

CertificateIssuer

Raises:

HttpResponseError

class azure.keyvault.certificates.CertificateContact(email=None, name=None, phone=None)[source]

Bases: object

The contact information for the vault certificates.

Parameters:
  • email (str) – Email address of a contact for the certificate.
  • name (str) – Name of a contact for the certificate.
  • phone (str) – phone number of a contact for the certificate.
email

str

Type:rtype
name

str

Type:rtype
phone

str

Type:rtype
class azure.keyvault.certificates.CertificateIssuer(provider, attributes=None, account_id=None, password=None, organization_id=None, admin_contacts=None, **kwargs)[source]

Bases: object

The issuer for a Key Vault certificate.

Parameters:
  • provider (str) – The issuer provider
  • account_id (str) – The username / account name / account id.
  • password (str) – The password / secret / account key.
  • organization_id (str) – The ID of the organization.
  • admin_contacts (list[AdministratorContact]) – Details of the organization administrator.
account_id

The username/ account name/ account id.

Return type:str
admin_contacts

Contact details of the organization administrator of this issuer.

Return type:list[AdministratorContact]
created_on

The datetime when the certificate is created.

Return type:datetime
enabled

Whether the certificate is enabled or not.

Return type:bool
id

str

Type:rtype
name

str

Type:rtype
organization_id

str

Type:rtype
password

The password / secret / account key.

Return type:str
provider

The issuer provider.

Return type:str
updated_on

The datetime when the certificate was last updated.

Return type:datetime
class azure.keyvault.certificates.CertificateOperation(cert_operation_id=None, issuer_name=None, certificate_type=None, certificate_transparency=False, csr=None, cancellation_requested=False, status=None, status_details=None, error=None, target=None, request_id=None)[source]

Bases: object

A certificate operation is returned in case of long running requests.

Parameters:
  • cert_operation_id (str) – The certificate id.
  • issuer_name (str or WellKnownIssuerNames) – Name of the operation’s issuer object or reserved names.
  • certificate_type (str) – Type of certificate requested from the issuer provider.
  • certificate_transparency (bool) – Indicates if the certificate this operation is running for is published to certificate transparency logs.
  • csr (bytearray) – The certificate signing request (CSR) that is being used in the certificate operation.
  • cancellation_requested (bool) – Indicates if cancellation was requested on the certificate operation.
  • status (str) – Status of the certificate operation.
  • status_details (str) – The status details of the certificate operation
  • error (CertificateOperationError) – Error encountered, if any, during the certificate operation.
  • target (str) – Location which contains the result of the certificate operation.
  • request_id (str) – Identifier for the certificate operation.
cancellation_requested

Whether cancellation was requested on the certificate operation.

Return type:bool
certificate_transparency

Whether certificates generated under this policy should be published to certificate transparency logs.

Return type:bool
certificate_type

Type of certificate to be requested from the issuer provider.

Return type:str
csr

The certificate signing request that is being used in this certificate operation.

Return type:bytes
error

~azure.keyvault.certificates.CertificateOperationError

Type:rtype
id

str

Type:rtype
issuer_name

The name of the issuer of the certificate.

Return type:str
name

str

Type:rtype
request_id

Identifier for the certificate operation.

Return type:str
status

str

Type:rtype
status_details

str

Type:rtype
target

Location which contains the result of the certificate operation.

Return type:str
vault_url

URL of the vault containing the CertificateOperation

Return type:str
class azure.keyvault.certificates.CertificateOperationError(code, message, inner_error)[source]

Bases: object

The key vault server error.

Parameters:
code

The error code.

Return type:str
inner_error

The error itself

Return ~azure.keyvault.certificates.CertificateOperationError:
 
message

The error message.

Return type:str
class azure.keyvault.certificates.CertificatePolicy(issuer_name, **kwargs)[source]

Bases: object

Management policy for a certificate.

Parameters:

issuer_name (str) – Name of the referenced issuer object or reserved names; for example, ‘Self’ or ‘Unknown”

Keyword Arguments:
 
  • subject (str) – The subject name of the certificate. Should be a valid X509 distinguished name. Either subject or one of the subject alternative name parameters are required.
  • san_emails (Iterable[str]) – Subject alternative emails of the X509 object. Either subject or one of the subject alternative name parameters are required.
  • san_dns_names (Iterable[str]) – Subject alternative DNS names of the X509 object. Either subject or one of the subject alternative name parameters are required.
  • san_user_principal_names (Iterable[str]) – Subject alternative user principal names of the X509 object. Either subject or one of the subject alternative name parameters are required.
  • exportable (bool) – Indicates if the private key can be exported. For valid values, see KeyType.
  • key_type (str or KeyType) – The type of key pair to be used for the certificate.
  • key_size (int) – The key size in bits. For example: 2048, 3072, or 4096 for RSA.
  • reuse_key (bool) – Indicates if the same key pair will be used on certificate renewal.
  • key_curve_name (str or KeyCurveName) – Elliptic curve name. For valid values, see KeyCurveName.
  • enhanced_key_usage (list[str]) – The extended ways the key of the certificate can be used.
  • key_usage (list[str or KeyUsageType]) – List of key usages.
  • content_type (str or CertificateContentType) – The media type (MIME type) of the secret backing the certificate.
  • validity_in_months (int) – The duration that the certificate is valid in months.
  • lifetime_actions (Iterable[LifetimeAction]) – Actions that will be performed by Key Vault over the lifetime of a certificate
  • certificate_type (str) – Type of certificate to be requested from the issuer provider.
  • certificate_transparency (bool) – Indicates if the certificates generated under this policy should be published to certificate transparency logs.
classmethod get_default()[source]
certificate_transparency

Whether the certificates generated under this policy should be published to certificate transparency logs.

Return type:bool
certificate_type

Type of certificate requested from the issuer provider.

Return type:str
content_type

The media type (MIME type).

Return type:CertificateContentType
created_on

The datetime when the certificate is created.

Return type:datetime
enabled

Whether the certificate is enabled or not.

Return type:bool
enhanced_key_usage

The enhanced key usage.

Return type:list[str]
exportable

Whether the private key can be exported.

Return type:bool
issuer_name

Name of the referenced issuer object or reserved names for the issuer of the certificate.

Return type:str
key_curve_name

Elliptic curve name.

Return type:KeyCurveName
key_size

The key size in bits.

Return type:int
key_type

The type of key pair to be used for the certificate.

Return type:KeyType
key_usage

List of key usages.

Return type:list[KeyUsageType]
lifetime_actions

Actions and their triggers that will be performed by Key Vault over the lifetime of the certificate.

Return type:list[LifetimeAction]
reuse_key

Whether the same key pair will be used on certificate renewal.

Return type:bool
san_dns_names

The subject alternative domain names.

Return type:list[str]
san_emails

The subject alternative email addresses.

Return type:list[str]
san_user_principal_names

The subject alternative user principal names.

Return type:list[str]
subject

The subject name of the certificate.

Return type:str
updated_on

The datetime when the certificate was last updated.

Return type:datetime
validity_in_months

The duration that the certificate is valid for in months.

Return type:int
class azure.keyvault.certificates.CertificateProperties(**kwargs)[source]

Bases: object

Certificate properties consists of a certificates metadata.

created_on

The datetime when the certificate is created.

Return type:datetime
enabled

Whether the certificate is enabled or not.

Return type:bool
expires_on

The datetime when the certificate expires.

Return type:datetime
id

Certificate identifier.

Return type:str
name

The name of the certificate.

Return type:str
not_before

The datetime before which the certificate is not valid.

Return type:datetime
recovery_level

The deletion recovery level currently in effect for the certificate.

Return type:models.DeletionRecoveryLevel
tags

Application specific metadata in the form of key-value pairs.

Return type:str
updated_on

The datetime when the certificate was last updated.

Return type:datetime
vault_url

URL of the vault containing the certificate

Return type:str
version

The version of the certificate

Return type:str
x509_thumbprint

Thumbprint of the certificate.

Return type:bytes
class azure.keyvault.certificates.DeletedCertificate(properties=None, policy=None, cer=None, **kwargs)[source]

Bases: azure.keyvault.certificates._models.KeyVaultCertificate

A Deleted Certificate consisting of its previous id, attributes and its tags, as well as information on when it will be purged.

Parameters:
  • policy (CertificatePolicy) – The management policy of the deleted certificate.
  • cer (bytearray) – CER contents of the X509 certificate.
  • deleted_on (datetime) – The time when the certificate was deleted, in UTC
  • recovery_id (str) – The url of the recovery object, used to identify and recover the deleted certificate.
  • scheduled_purge_date (datetime) – The time when the certificate is scheduled to be purged, in UTC
deleted_on

The datetime that the certificate was deleted.

Return type:datetime
recovery_id

The url of the recovery object, used to identify and recover the deleted certificate.

Return type:str
scheduled_purge_date

The datetime when the certificate is scheduled to be purged.

Return type:str
class azure.keyvault.certificates.IssuerProperties(provider=None, **kwargs)[source]

Bases: object

The properties of an issuer containing the issuer metadata.

Parameters:provider (str) – The issuer provider.
id

str

Type:rtype
name

str

Type:rtype
provider

str

Type:rtype
class azure.keyvault.certificates.KeyCurveName[source]

Bases: str, enum.Enum

Supported elliptic curves

p_256 = 'P-256'

The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.

p_256_k = 'P-256K'

The SECG SECP256K1 elliptic curve.

p_384 = 'P-384'

The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.

p_521 = 'P-521'

The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.

class azure.keyvault.certificates.KeyType[source]

Bases: str, enum.Enum

Supported key types

ec = 'EC'

Elliptic Curve

ec_hsm = 'EC-HSM'

Elliptic Curve with a private key which is not exportable from the HSM

rsa = 'RSA'

//tools.ietf.org/html/rfc3447)

Type:RSA (https
rsa_hsm = 'RSA-HSM'

RSA with a private key which is not exportable from the HSM

class azure.keyvault.certificates.KeyVaultCertificate(policy=None, properties=None, cer=None, **kwargs)[source]

Bases: object

Consists of a certificate and its attributes

Parameters:
cer

The CER contents of the certificate.

Return type:bytes
id

Certificate identifier.

Return type:str
key_id

str

Type:rtype
name

The name of the certificate.

Return type:str
policy

The management policy of the certificate.

Return type:CertificatePolicy
properties

The certificate’s properties

Return type:CertificateProperties
secret_id

str

Type:rtype
class azure.keyvault.certificates.KeyUsageType[source]

Bases: str, enum.Enum

The supported types of key usages

crl_sign = 'cRLSign'
data_encipherment = 'dataEncipherment'
decipher_only = 'decipherOnly'
digital_signature = 'digitalSignature'
encipher_only = 'encipherOnly'
key_agreement = 'keyAgreement'
key_cert_sign = 'keyCertSign'
key_encipherment = 'keyEncipherment'
non_repudiation = 'nonRepudiation'
class azure.keyvault.certificates.LifetimeAction(action, lifetime_percentage=None, days_before_expiry=None)[source]

Bases: object

Action and its trigger that will be performed by certificate Vault over the lifetime of a certificate.

Parameters:
  • action (str or CertificatePolicyAction) – The type of the action. For valid values, see CertificatePolicyAction
  • lifetime_percentage (int) – Percentage of lifetime at which to trigger. Value should be between 1 and 99.
  • days_before_expiry (int) – Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. I.e., if validity_in_months is 36, then value should be between 1 and 972 (36 * 27).
action

The type of the action that will be executed. Valid values are “EmailContacts” and “AutoRenew”

Return type:CertificatePolicyAction
days_before_expiry

Days before expiry to attempt renewal.

Return type:int
lifetime_percentage

Percentage of lifetime at which to trigger.

Return type:int
class azure.keyvault.certificates.CertificateContentType[source]

Bases: str, enum.Enum

Content type of the secrets as specified in Certificate Policy

pem = 'application/x-pem-file'
pkcs12 = 'application/x-pkcs12'
class azure.keyvault.certificates.WellKnownIssuerNames[source]

Bases: str, enum.Enum

Collection of well-known issuer names

self = 'Self'

Use this issuer for a self-signed certificate

unknown = 'Unknown'

If you use this issuer, you must manually get an x509 certificate from the issuer of your choice. You must then call merge_certificate() to merge the public x509 certificate with your key vault certificate pending object to complete creation.

class azure.keyvault.certificates.CertificateIssuer(provider, attributes=None, account_id=None, password=None, organization_id=None, admin_contacts=None, **kwargs)[source]

Bases: object

The issuer for a Key Vault certificate.

Parameters:
  • provider (str) – The issuer provider
  • account_id (str) – The username / account name / account id.
  • password (str) – The password / secret / account key.
  • organization_id (str) – The ID of the organization.
  • admin_contacts (list[AdministratorContact]) – Details of the organization administrator.
account_id

The username/ account name/ account id.

Return type:str
admin_contacts

Contact details of the organization administrator of this issuer.

Return type:list[AdministratorContact]
created_on

The datetime when the certificate is created.

Return type:datetime
enabled

Whether the certificate is enabled or not.

Return type:bool
id

str

Type:rtype
name

str

Type:rtype
organization_id

str

Type:rtype
password

The password / secret / account key.

Return type:str
provider

The issuer provider.

Return type:str
updated_on

The datetime when the certificate was last updated.

Return type:datetime
class azure.keyvault.certificates.IssuerProperties(provider=None, **kwargs)[source]

Bases: object

The properties of an issuer containing the issuer metadata.

Parameters:provider (str) – The issuer provider.
id

str

Type:rtype
name

str

Type:rtype
provider

str

Type:rtype