# It will return a certificate if creation is successful, and will return the CertificateOperation if not.
certificate = create_certificate_poller.result()
print("Certificate with name '{0}' created.".format(cert_name))
# Backups are good to have, if in case certificates gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing certificate")
certificate_backup = client.backup_certificate(cert_name)
print("Backup created for certificate with name '{0}'.".format(cert_name))
# The storage account certificate is no longer in use, so you can delete it.
print("\n.. Delete the certificate")
delete_operation = client.begin_delete_certificate(cert_name)
deleted_certificate = delete_operation.result()
print("Deleted certificate with name '{0}'".format(deleted_certificate.name))
# Wait for the deletion to complete before purging the certificate.
# The purge will take some time, so wait before restoring the backup to avoid a conflict.
delete_operation.wait()
print("\n.. Purge the certificate")
client.purge_deleted_certificate(deleted_certificate.name)
time.sleep(60)
print("Purged certificate with name '{0}'".format(deleted_certificate.name))
# In the future, if the certificate is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the certificate from the backup")
certificate = client.restore_certificate_backup(certificate_backup)
print("Restored certificate with name '{0}'".format(certificate.name))
print("\nrun_sample done")
deleted_bank_certificate = deleted_bank_poller.result()
# To ensure certificate is deleted on the server side.
deleted_bank_poller.wait()
print(
"Certificate with name '{0}' was deleted on date {1}.".format(
deleted_bank_certificate.name, deleted_bank_certificate.deleted_on
)
)
# We accidentally deleted the bank account certificate. Let's recover it.
# A deleted certificate can only be recovered if the Key Vault is soft-delete enabled.
print("\n.. Recover Deleted Certificate")
recovered_bank_poller = client.begin_recover_deleted_certificate(deleted_bank_certificate.name)
recovered_bank_certificate = recovered_bank_poller.result()
# To ensure certificate is recovered on the server side.
recovered_bank_poller.wait()
print("Recovered Certificate with name '{0}'.".format(recovered_bank_certificate.name))
# Let's delete the storage certificate now.
# If the keyvault is soft-delete enabled, then for permanent deletion deleted certificate needs to be purged.
client.begin_delete_certificate(storage_cert_name).wait()
# Certificates will still purge eventually on their scheduled purge date, but calling `purge_deleted_certificate` immediately
# purges.
print("\n.. Purge Deleted Certificate")
client.purge_deleted_certificate(storage_cert_name)
print("Certificate has been permanently deleted.")
print("\nrun_sample done")
def deleted_certificate_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted certificates from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a certificate client
credential = DefaultAzureCredential()
certificate_client = CertificateClient(
vault_url=vault.properties.vault_uri, credential=credential)
# create certificates in the vault
cert_to_recover = get_name('cert')
cert_to_purge = get_name('cert')
create_certificate_poller = certificate_client.begin_create_certificate(
cert_to_recover, policy=CertificatePolicy.get_default())
created_certificate = create_certificate_poller.result()
print('created certificate {}'.format(created_certificate.name))
create_certificate_poller = certificate_client.begin_create_certificate(
cert_to_purge, policy=CertificatePolicy.get_default())
created_certificate = create_certificate_poller.result()
print('created certificate {}'.format(created_certificate.name))
# list the vault certificates
certificates = certificate_client.list_properties_of_certificates()
print('list the vault certificates')
for certificate in certificates:
print(certificate.name)
# delete the certificates
deleted_certificate_poller = certificate_client.begin_delete_certificate(
cert_to_recover)
deleted_certificate = deleted_certificate_poller.result()
deleted_certificate_poller.wait()
print('deleted certificate {}'.format(deleted_certificate.name))
deleted_certificate_poller = certificate_client.begin_delete_certificate(
cert_to_purge)
deleted_certificate = deleted_certificate_poller.result()
deleted_certificate_poller.wait()
print('deleted certificate {}'.format(deleted_certificate.name))
# list the deleted certificates
deleted_certs = certificate_client.list_deleted_certificates()
print('deleted certificates:')
for deleted_cert in deleted_certs:
print(deleted_cert.name)
# recover a deleted certificate
recovered_certificate_poller = certificate_client.begin_recover_deleted_certificate(
cert_to_recover)
recovered_certificate_certificate = recovered_certificate_poller.result(
)
print('recovered certificate {}'.format(
recovered_certificate_certificate.name))
# purge a deleted certificate
certificate_client.purge_deleted_certificate(cert_to_purge)
time.sleep(50)
print('purged certificate {}'.format(cert_to_purge))
# list the vault certificates
certificates = certificate_client.list_properties_of_certificates()
print("all of the certificates in the client's vault:")
for certificate in certificates:
print(certificate.name)
# Now we can extract the private key and public certificate from the secret using the cryptography
# package. `additional_certificates` will be empty since the secret only contains one certificate.
# This example shows how to parse a certificate in PKCS12 format since it's the default in Key Vault,
# but PEM certificates are supported as well. With a PEM certificate, you could use load_pem_private_key
# in place of load_key_and_certificates.
cert_bytes = base64.b64decode(certificate_secret.value)
private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates(
data=cert_bytes,
password=None
)
print("Certificate with name '{}' was parsed.".format(certificate_secret.name))
# Now we can clean up the vault by deleting, then purging, the certificate.
print("\n.. Delete certificate")
delete_operation_poller = certificate_client.begin_delete_certificate(
certificate_name=cert_name
)
deleted_certificate = delete_operation_poller.result()
delete_operation_poller.wait()
print("Certificate with name '{}' was deleted.".format(deleted_certificate.name))
certificate_client.purge_deleted_certificate(certificate_name=deleted_certificate.name)
print("Certificate with name '{}' is being purged.".format(deleted_certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {}".format(e.message))
finally:
print("\nrun_sample done")
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing certificate")
certificate_backup = client.backup_certificate(name=cert_name)
print("Backup created for certificate with name '{0}'.".format(cert_name))
# The storage account certificate is no longer in use, so you can delete it.
client.delete_certificate(name=cert_name)
# To ensure certificate is deleted on the server side.
time.sleep(30)
print("Deleted Certificate with name '{0}'".format(cert_name))
# Even though the certificate is deleted, it can still be recovered so its name cannot be reused.
# In order to be able to reuse the name during restoration, we must purge the certificate
# after the initial deletion.
print("\nPurging certificate...")
client.purge_deleted_certificate(name=cert_name)
# To ensure certificate is purged on the server side.
time.sleep(30)
print("Purged Certificate with name '{0}'".format(cert_name))
# In future, if the certificate is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the certificate using the backed up certificate bytes")
certificate = client.restore_certificate(certificate_backup)
print("Restored Certificate with name '{0}'".format(certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
