class KeyVaultCertificates:
def __init__(self):
# DefaultAzureCredential() expects the following environment variables:
# * AZURE_CLIENT_ID
# * AZURE_CLIENT_SECRET
# * AZURE_TENANT_ID
authority_host = os.environ.get('AZURE_AUTHORITY_HOST') or KnownAuthorities.AZURE_PUBLIC_CLOUD
credential = DefaultAzureCredential(authority=authority_host)
self.certificate_client = CertificateClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential
)
self.certificate_name = "cert-name-" + uuid.uuid1().hex
def create_certificate(self):
print("Creating certificate (name: {})".format(self.certificate_name))
create_poller = self.certificate_client.begin_create_certificate(
certificate_name=self.certificate_name,
policy=CertificatePolicy.get_default())
print("\twaiting...")
create_poller.result()
print("\tdone")
def get_certificate(self):
print("Getting a certificate...")
certificate = self.certificate_client.get_certificate(certificate_name=self.certificate_name)
print("\tdone, certificate: {}.".format(certificate.name))
def delete_certificate(self):
print("Deleting a certificate...")
poller = self.certificate_client.begin_delete_certificate(certificate_name=self.certificate_name)
deleted_certificate = poller.result()
print("\tdone: " + deleted_certificate.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Certificates\nIdentity - Credential")
print("------------------------")
print("1) Create a certificate")
print("2) Get that certificate")
print("3) Delete that certificate (Clean up the resource)")
print("")
try:
self.create_certificate()
self.get_certificate()
finally:
self.delete_certificate()
class KeyVaultCertificates(KeyVaultBase):
def __init__(self):
credential = self.get_default_credential()
self.certificate_client = CertificateClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential)
self.certificate_name = "cert-name-" + uuid.uuid1().hex
def create_certificate(self):
print("Creating certificate (name: {})".format(self.certificate_name))
create_poller = self.certificate_client.begin_create_certificate(
certificate_name=self.certificate_name,
policy=CertificatePolicy.get_default())
print("\twaiting...")
create_poller.result()
print("\tdone")
def get_certificate(self):
print("Getting a certificate...")
certificate = self.certificate_client.get_certificate(
certificate_name=self.certificate_name)
print("\tdone, certificate: {}.".format(certificate.name))
def delete_certificate(self):
print("Deleting a certificate...")
poller = self.certificate_client.begin_delete_certificate(
certificate_name=self.certificate_name)
deleted_certificate = poller.result()
print("\tdone: " + deleted_certificate.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Certificates\nIdentity - Credential")
print("------------------------")
print("1) Create a certificate")
print("2) Get that certificate")
print("3) Delete that certificate (Clean up the resource)")
print("")
try:
self.create_certificate()
self.get_certificate()
finally:
self.delete_certificate()
print("Certificate with name '{0}' created".format(certificate.name))
# Let's get the bank certificate using its name
print("\n.. Get a certificate by name")
bank_certificate = client.get_certificate(cert_name)
print("Certificate with name '{0}' was found'.".format(
bank_certificate.name))
# After one year, the bank account is still active, and we have decided to update the tags.
print("\n.. Update a certificate by name")
tags = {"a": "b"}
updated_certificate = client.update_certificate_properties(
certificate_name=bank_certificate.name, tags=tags)
print("Certificate with name '{0}' was updated on date '{1}'".format(
bank_certificate.name, updated_certificate.properties.updated_on))
print("Certificate with name '{0}' was updated with tags '{1}'".format(
bank_certificate.name, updated_certificate.properties.tags))
# The bank account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete certificate")
deleted_certificate = client.begin_delete_certificate(
bank_certificate.name).result()
print("Certificate with name '{0}' was deleted.".format(
deleted_certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
certificate_name=cert_name, policy=CertificatePolicy.get_default())
# The result call awaits the completion of the create certificate operation and returns the final result.
# It will return a certificate if creation is successful, and will return the CertificateOperation if not.
certificate = create_certificate_poller.result()
print("Certificate with name '{0}' created.".format(cert_name))
# Backups are good to have, if in case certificates gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing certificate")
certificate_backup = client.backup_certificate(cert_name)
print("Backup created for certificate with name '{0}'.".format(cert_name))
# The storage account certificate is no longer in use, so you can delete it.
print("\n.. Delete the certificate")
delete_operation = client.begin_delete_certificate(cert_name)
deleted_certificate = delete_operation.result()
print("Deleted certificate with name '{0}'".format(deleted_certificate.name))
# Wait for the deletion to complete before purging the certificate.
# The purge will take some time, so wait before restoring the backup to avoid a conflict.
delete_operation.wait()
print("\n.. Purge the certificate")
client.purge_deleted_certificate(deleted_certificate.name)
time.sleep(60)
print("Purged certificate with name '{0}'".format(deleted_certificate.name))
# In the future, if the certificate is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the certificate from the backup")
certificate = client.restore_certificate_backup(certificate_backup)
print("Restored certificate with name '{0}'".format(certificate.name))
bank_certificate_poller = client.begin_create_certificate(
certificate_name=bank_cert_name, policy=CertificatePolicy.get_default()
)
storage_certificate_poller = client.begin_create_certificate(
certificate_name=storage_cert_name, policy=CertificatePolicy.get_default()
)
bank_certificate = bank_certificate_poller.result()
storage_certificate = storage_certificate_poller.result()
print("Certificate with name '{0}' was created.".format(bank_certificate.name))
print("Certificate with name '{0}' was created.".format(storage_certificate.name))
# The storage account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete a Certificate")
deleted_bank_poller = client.begin_delete_certificate(bank_cert_name)
deleted_bank_certificate = deleted_bank_poller.result()
# To ensure certificate is deleted on the server side.
deleted_bank_poller.wait()
print(
"Certificate with name '{0}' was deleted on date {1}.".format(
deleted_bank_certificate.name, deleted_bank_certificate.deleted_on
)
)
# We accidentally deleted the bank account certificate. Let's recover it.
# A deleted certificate can only be recovered if the Key Vault is soft-delete enabled.
print("\n.. Recover Deleted Certificate")
recovered_bank_poller = client.begin_recover_deleted_certificate(deleted_bank_certificate.name)
recovered_bank_certificate = recovered_bank_poller.result()
# Now we can extract the private key and public certificate from the secret using the cryptography
# package. `additional_certificates` will be empty since the secret only contains one certificate.
# This example shows how to parse a certificate in PKCS12 format since it's the default in Key Vault,
# but PEM certificates are supported as well. With a PEM certificate, you could use load_pem_private_key
# in place of load_key_and_certificates.
cert_bytes = base64.b64decode(certificate_secret.value)
private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates(
data=cert_bytes,
password=None
)
print("Certificate with name '{}' was parsed.".format(certificate_secret.name))
# Now we can clean up the vault by deleting, then purging, the certificate.
print("\n.. Delete certificate")
delete_operation_poller = certificate_client.begin_delete_certificate(
certificate_name=cert_name
)
deleted_certificate = delete_operation_poller.result()
delete_operation_poller.wait()
print("Certificate with name '{}' was deleted.".format(deleted_certificate.name))
certificate_client.purge_deleted_certificate(certificate_name=deleted_certificate.name)
print("Certificate with name '{}' is being purged.".format(deleted_certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {}".format(e.message))
finally:
print("\nrun_sample done")
# A long running poller is returned for the create certificate operation.
create_certificate_poller = client.begin_create_certificate(
certificate_name=cert_name, policy=CertificatePolicy.get_default())
# The result call awaits the completion of the create certificate operation and returns the final result.
# It will return a certificate if creation is successful, and will return the CertificateOperation if not.
certificate = create_certificate_poller.result()
print("Certificate with name '{0}' created.".format(cert_name))
# Backups are good to have, if in case certificates gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing certificate")
certificate_backup = client.backup_certificate(cert_name)
print("Backup created for certificate with name '{0}'.".format(cert_name))
# The storage account certificate is no longer in use, so you can delete it.
print("\n.. Delete the certificate")
client.begin_delete_certificate(cert_name).wait()
print("Deleted certificate '{0}'".format(cert_name))
# In future, if the certificate is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the certificate from the backup")
certificate = client.restore_certificate_backup(certificate_backup)
print("Restored Certificate with name '{0}'".format(certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
"Certificate with name '{0}' was created again with tags '{1}'".format(
bank_certificate.name, bank_certificate.properties.tags))
# You need to check all the different tags your bank account certificate had previously. Let's print
# all the versions of this certificate.
print("\n.. List versions of the certificate using its name")
certificate_versions = client.list_properties_of_certificate_versions(
bank_cert_name)
for certificate_version in certificate_versions:
print(
"Bank Certificate with name '{0}' with version '{1}' has tags: '{2}'."
.format(certificate_version.name, certificate_version.version,
certificate_version.tags))
# The bank account and storage accounts got closed. Let's delete bank and storage accounts certificates.
client.begin_delete_certificate(name=bank_cert_name).wait()
client.begin_delete_certificate(name=storage_cert_name).wait()
# You can list all the deleted and non-purged certificates, assuming Key Vault is soft-delete enabled.
print("\n.. List deleted certificates from the Key Vault")
deleted_certificates = client.list_deleted_certificates()
for deleted_certificate in deleted_certificates:
print("Certificate with name '{0}' has recovery id '{1}'".format(
deleted_certificate.name, deleted_certificate.recovery_id))
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print(
"\n{0} Please enable soft delete on Key Vault to perform this operation."
.format(e.message))
else:
def deleted_certificate_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted certificates from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a certificate client
credential = DefaultAzureCredential()
certificate_client = CertificateClient(
vault_url=vault.properties.vault_uri, credential=credential)
# create certificates in the vault
cert_to_recover = get_name('cert')
cert_to_purge = get_name('cert')
create_certificate_poller = certificate_client.begin_create_certificate(
cert_to_recover, policy=CertificatePolicy.get_default())
created_certificate = create_certificate_poller.result()
print('created certificate {}'.format(created_certificate.name))
create_certificate_poller = certificate_client.begin_create_certificate(
cert_to_purge, policy=CertificatePolicy.get_default())
created_certificate = create_certificate_poller.result()
print('created certificate {}'.format(created_certificate.name))
# list the vault certificates
certificates = certificate_client.list_properties_of_certificates()
print('list the vault certificates')
for certificate in certificates:
print(certificate.name)
# delete the certificates
deleted_certificate_poller = certificate_client.begin_delete_certificate(
cert_to_recover)
deleted_certificate = deleted_certificate_poller.result()
deleted_certificate_poller.wait()
print('deleted certificate {}'.format(deleted_certificate.name))
deleted_certificate_poller = certificate_client.begin_delete_certificate(
cert_to_purge)
deleted_certificate = deleted_certificate_poller.result()
deleted_certificate_poller.wait()
print('deleted certificate {}'.format(deleted_certificate.name))
# list the deleted certificates
deleted_certs = certificate_client.list_deleted_certificates()
print('deleted certificates:')
for deleted_cert in deleted_certs:
print(deleted_cert.name)
# recover a deleted certificate
recovered_certificate_poller = certificate_client.begin_recover_deleted_certificate(
cert_to_recover)
recovered_certificate_certificate = recovered_certificate_poller.result(
)
print('recovered certificate {}'.format(
recovered_certificate_certificate.name))
# purge a deleted certificate
certificate_client.purge_deleted_certificate(cert_to_purge)
time.sleep(50)
print('purged certificate {}'.format(cert_to_purge))
# list the vault certificates
certificates = certificate_client.list_properties_of_certificates()
print("all of the certificates in the client's vault:")
for certificate in certificates:
print(certificate.name)
