class KeyVaultCertificates:
def __init__(self):
# DefaultAzureCredential() expects the following environment variables:
# * AZURE_CLIENT_ID
# * AZURE_CLIENT_SECRET
# * AZURE_TENANT_ID
credential = DefaultAzureCredential()
self.certificate_client = CertificateClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential)
self.certificate_name = "cert-name-" + uuid.uuid1().hex
def create_certificate(self):
print("creating certificate...")
self.certificate_client.create_certificate(name=self.certificate_name)
print("\tdone")
def get_certificate(self):
print("Getting a certificate...")
certificate = self.certificate_client.get_certificate_with_policy(
name=self.certificate_name)
print("\tdone, certificate: %s." % certificate.name)
def delete_certificate(self):
print("Deleting a certificate...")
deleted_certificate = self.certificate_client.delete_certificate(
name=self.certificate_name)
print("\tdone: " + deleted_certificate.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Certificates\nIdentity - Credential")
print("------------------------")
print("1) Create a certificate")
print("2) Get that certificate")
print("3) Delete that certificate (Clean up the resource)")
print("")
try:
self.create_certificate()
self.get_certificate()
finally:
self.delete_certificate()
# Instantiate a certificate client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = CertificateClient(vault_endpoint=VAULT_ENDPOINT,
credential=credential)
try:
print("\n.. Create Certificate")
cert_name = "BackupRestoreCertificate"
# Let's create a certificate for your key vault.
# if the certificate already exists in the Key Vault, then a new version of the certificate is created.
# A long running poller is returned for the create certificate operation.
create_certificate_poller = client.create_certificate(name=cert_name)
# The result call awaits the completion of the create certificate operation and returns the final result.
# It will return a certificate if creation is successful, and will return the CertificateOperation if not.
certificate = create_certificate_poller.result()
print("Certificate with name '{0}' created.".format(cert_name))
# Backups are good to have, if in case certificates gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing certificate")
certificate_backup = client.backup_certificate(name=cert_name)
print("Backup created for certificate with name '{0}'.".format(cert_name))
# The storage account certificate is no longer in use, so you can delete it.
print("\n.. Delete the certificate")
client.delete_certificate(name=cert_name)
# ----------------------------------------------------------------------------------------------------------
# Instantiate a certificate client that will be used to call the service. Notice that the client is using default
# Azure credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = CertificateClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create a certificate for holding storage and bank accounts credentials. If the certificate
# already exists in the Key Vault, then a new version of the certificate is created.
print("\n.. Create Certificate")
bank_cert_name = "BankListCertificate"
storage_cert_name = "StorageListCertificate"
bank_certificate_poller = client.create_certificate(name=bank_cert_name)
storage_certificate_poller = client.create_certificate(
name=storage_cert_name)
# await the creation of the bank and storage certificate
bank_certificate_poller.wait()
storage_certificate_poller.wait()
print("Certificate with name '{0}' was created.".format(bank_cert_name))
print("Certificate with name '{0}' was created.".format(storage_cert_name))
# Let's list the certificates.
print("\n.. List certificates from the Key Vault")
certificates = client.list_certificates()
for certificate in certificates:
print("Certificate with name '{0}' was found.".format(
# Alternatively, if you would like to use our default policy, don't pass a policy parameter to
# our certificate creation method
cert_policy = CertificatePolicy(key_properties=KeyProperties(
exportable=True, key_type='RSA', key_size=2048, reuse_key=False),
content_type=SecretContentType.PKCS12,
issuer_name='Self',
subject_name='CN=*.microsoft.com',
validity_in_months=24,
san_dns_names=['sdk.azure-int.net'])
cert_name = "HelloWorldCertificate"
# create_certificate returns a poller. Calling result() on the poller will return the certificate
# if creation is successful, and the CertificateOperation if not. The wait() call on the poller will
# wait until the long running operation is complete.
certificate = client.create_certificate(name=cert_name,
policy=cert_policy).result()
print("Certificate with name '{0}' created".format(certificate.name))
# Let's get the bank certificate using its name
print("\n.. Get a Certificate by name")
bank_certificate = client.get_certificate_with_policy(name=cert_name)
print("Certificate with name '{0}' was found'.".format(
bank_certificate.name))
# After one year, the bank account is still active, and we have decided to update the tags.
print("\n.. Update a Certificate by name")
tags = {"a": "b"}
updated_certificate = client.update_certificate(name=bank_certificate.name,
tags=tags)
print("Certificate with name '{0}' was updated on date '{1}'".format(
bank_certificate.name, updated_certificate.updated))
# Instantiate a certificate client that will be used to call the service. Notice that the client is using default
# Azure credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = CertificateClient(vault_endpoint=VAULT_ENDPOINT,
credential=credential)
try:
# Let's create a certificate for holding storage and bank accounts credentials. If the certificate
# already exists in the Key Vault, then a new version of the certificate is created.
print("\n.. Create Certificate")
bank_cert_name = "BankListCertificate"
storage_cert_name = "StorageListCertificate"
bank_certificate_poller = client.create_certificate(name=bank_cert_name)
storage_certificate_poller = client.create_certificate(
name=storage_cert_name)
# await the creation of the bank and storage certificate
bank_certificate = bank_certificate_poller.result()
storage_certificate = storage_certificate_poller.result()
print("Certificate with name '{0}' was created.".format(
bank_certificate.name))
print("Certificate with name '{0}' was created.".format(
storage_certificate.name))
# Let's list the certificates.
print("\n.. List certificates from the Key Vault")
certificates = client.list_certificates()
# Instantiate a certificate client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = CertificateClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
# Let's create certificates holding storage and bank accounts credentials. If the certificate
# already exists in the Key Vault, then a new version of the certificate is created.
print("\n.. Create Certificates")
bank_cert_name = "BankRecoverCertificate"
storage_cert_name = "ServerRecoverCertificate"
bank_certificate_poller = client.create_certificate(name=bank_cert_name)
storage_certificate_poller = client.create_certificate(name=storage_cert_name)
bank_certificate = bank_certificate_poller.result()
storage_certificate = storage_certificate_poller.result()
print("Certificate with name '{0}' was created.".format(bank_certificate.name))
print("Certificate with name '{0}' was created.".format(storage_certificate.name))
# The storage account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete a Certificate")
deleted_bank_certificate = client.delete_certificate(name=bank_cert_name)
# To ensure certificate is deleted on the server side.
time.sleep(30)
print(
"Certificate with name '{0}' was deleted on date {1}.".format(
# Before creating your certificate, let's create the management policy for your certificate.
# Here you specify the properties of the key, secret, and issuer backing your certificate,
# the X509 component of your certificate, and any lifetime actions you would like to be taken
# on your certificate
# Alternatively, if you would like to use our default policy, don't pass a policy parameter to
# our certificate creation method
cert_policy = CertificatePolicy(key_properties=KeyProperties(
exportable=True, key_type='RSA', key_size=2048, reuse_key=False),
content_type=SecretContentType.PKCS12,
issuer_name='Self',
subject_name='CN=*.microsoft.com',
validity_in_months=24,
san_dns_names=['sdk.azure-int.net'])
cert_name = "HelloWorldCertificate"
create_certificate_poller = client.create_certificate(name=cert_name,
policy=cert_policy)
create_certificate_poller.wait()
print("Certificate with name '{0}' created".format(cert_name))
# Let's get the bank certificate using its name
print("\n.. Get a Certificate by name")
bank_certificate = client.get_certificate_with_policy(name=cert_name)
print("Certificate with name '{0}' was found'.".format(
bank_certificate.name))
# After one year, the bank account is still active, and we have decided to update the tags.
print("\n.. Update a Certificate by name")
tags = {"a": "b"}
updated_certificate = client.update_certificate(name=bank_certificate.name,
tags=tags)
print("Certificate with name '{0}' was updated on date '{1}'".format(
