def _default_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type='application/x-pkcs12'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject=
'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
validity_in_months=12),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(name='Self', ),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
del template.issuer_parameters.certificate_type
del template.lifetime_actions[0].trigger.lifetime_percentage
del template.x509_certificate_properties.subject_alternative_names
del template.x509_certificate_properties.ekus
return template
def _scaffold_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(
exportable=True,
key_type='(optional) RSA or RSA-HSM (default RSA)',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type='application/x-pkcs12 or application/x-pem-file'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject_alternative_names=SubjectAlternativeNames(
emails=['*****@*****.**'],
dns_names=['hr.contoso.com', 'm.contoso.com'],
upns=[]),
subject=
'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
ekus=['1.3.6.1.5.5.7.3.1'],
validity_in_months=24),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(
name='Unknown, Self, or {IssuerName}',
certificate_type='(optional) DigiCert, GlobalSign or WoSign'),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
return template
def certificate_policy_template():
from azure.keyvault.generated.models import \
(CertificatePolicy, CertificateAttributes, KeyProperties, SecretProperties,
X509CertificateProperties, SubjectAlternativeNames, LifetimeAction, Action, Trigger,
IssuerParameters)
from azure.keyvault.generated.models.key_vault_client_enums \
import ActionType, JsonWebKeyType, KeyUsageType
# create sample policy
template = CertificatePolicy(
key_properties=KeyProperties(
exportable=False,
key_type='{{ {} }}'.format(' | '.join([x.value for x in JsonWebKeyType])),
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties('text/plain'),
x509_certificate_properties=X509CertificateProperties(
subject_alternative_names=SubjectAlternativeNames(
emails=['*****@*****.**', '*****@*****.**'],
dns_names=['www.mydomain.com'],
upns=['principal-name']
),
subject='X509 Distinguished Name',
ekus=['ekus'],
key_usage=['{{ {} }}'.format(' | '.join([x.value for x in KeyUsageType]))],
validity_in_months=60
),
lifetime_actions=[
LifetimeAction(
Trigger(lifetime_percentage=90, days_before_expiry=7),
Action(action_type='{{ {} }}'.format(' | '.join([x.value for x in ActionType])))
)
],
issuer_parameters=IssuerParameters(name='issuer-name'),
attributes=CertificateAttributes(
enabled=True
)
)
# remove properties which are read only
del template.id
del template.attributes.created
del template.attributes.updated
return template
