{"library":"azure-keyvault-certificates","title":"Azure Key Vault Certificates Client Library for Python","description":"The Azure Key Vault Certificates client library for Python allows developers to manage X.509 certificates in Azure Key Vault. It provides capabilities to create, retrieve, update, and delete certificates, as well as manage certificate issuers, contacts, and policies. Azure Key Vault is a cloud service for securely storing and managing secrets, keys, and certificates. This library is part of the Azure SDK for Python and is currently at version 4.10.0, with active development and regular updates.","status":"active","version":"4.10.0","language":"en","source_language":"en","source_url":"https://github.com/Azure/azure-sdk-for-python/tree/main/sdk","tags":["Azure","Key Vault","Certificates","Security","Cloud","Authentication"],"install":[{"cmd":"pip install azure-keyvault-certificates azure-identity","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Required runtime environment.","package":"Python","version":">=3.9"},{"reason":"Provides Azure Active Directory authentication, essential for interacting with Azure Key Vault.","package":"azure-identity","optional":false}],"imports":[{"symbol":"CertificateClient","correct":"from azure.keyvault.certificates import CertificateClient"},{"symbol":"CertificatePolicy","correct":"from azure.keyvault.certificates import CertificatePolicy"},{"note":"Used for authenticating to Azure services; typically provided by `azure-identity`.","symbol":"DefaultAzureCredential","correct":"from azure.identity import DefaultAzureCredential"}],"quickstart":{"code":"import os\nfrom azure.keyvault.certificates import CertificateClient, CertificatePolicy\nfrom azure.identity import DefaultAzureCredential\n\n# Set your Key Vault name and certificate name as environment variables or replace directly.\n# For local development, ensure you are logged in via Azure CLI (az login).\nkeyvault_name = os.environ.get('AZURE_KEYVAULT_NAME', 'YOUR_KEY_VAULT_NAME')\ncertificate_name = 'MySampleCertificate'\n\n# Construct the Key Vault URL\nvault_url = f\"https://{keyvault_name}.vault.azure.net\"\n\n# Authenticate using DefaultAzureCredential\n# This credential type is suitable for local development and managed identity in production.\ncredential = DefaultAzureCredential()\n\n# Create a CertificateClient\ncertificate_client = CertificateClient(vault_url=vault_url, credential=credential)\n\nasync def manage_certificate():\n    print(f\"Creating a self-signed certificate '{certificate_name}' in {keyvault_name}...\")\n    # Create a certificate policy for a self-signed certificate\n    policy = CertificatePolicy.create_self_signed(\n        subject=\"CN=www.contoso.com\",\n        issuer_name=\"Self\",\n        validity_in_months=12\n    )\n\n    # Begin creating the certificate - this is a long-running operation\n    poller = await certificate_client.begin_create_certificate(certificate_name, policy)\n    \n    # Wait for the certificate creation to complete\n    created_certificate = await poller.result()\n    print(f\"Certificate '{created_certificate.name}' created with thumbprint: {created_certificate.properties.x509_thumbprint}\")\n\n    print(f\"Retrieving certificate '{certificate_name}'...\")\n    retrieved_certificate = await certificate_client.get_certificate(certificate_name)\n    print(f\"Retrieved certificate version: {retrieved_certificate.properties.version}\")\n\n    print(f\"Deleting certificate '{certificate_name}'...\")\n    # Begin deleting the certificate - this is a long-running operation\n    delete_poller = await certificate_client.begin_delete_certificate(certificate_name)\n    await delete_poller.wait()\n    print(f\"Certificate '{certificate_name}' deleted.\")\n\n    # Don't forget to close the credential and client when done (especially for async)\n    await certificate_client.close()\n    await credential.close()\n\n# Example of how to run the async function\nimport asyncio\nif __name__ == '__main__':\n    # Make sure to set AZURE_KEYVAULT_NAME environment variable\n    # e.g., export AZURE_KEYVAULT_NAME=\"my-unique-vault-name\"\n    # And login via Azure CLI: az login\n    asyncio.run(manage_certificate())","lang":"python","description":"This quickstart demonstrates how to authenticate with Azure Key Vault using `DefaultAzureCredential` and perform basic operations: creating a self-signed certificate, retrieving it, and then deleting it. Ensure you have an Azure subscription, an existing Azure Key Vault, and are logged into Azure CLI (`az login`) or have appropriate environment variables set for authentication. Replace 'YOUR_KEY_VAULT_NAME' or set the `AZURE_KEYVAULT_NAME` environment variable."},"warnings":[{"fix":"For new Key Vaults, configure permissions using Azure RBAC roles (e.g., 'Key Vault Certificate Officer'). For existing vaults, consider migrating to Azure RBAC for consistent identity and access management. Choose one model (RBAC is recommended) and avoid mixing.","message":"Azure RBAC (Role-Based Access Control) is now the default access control model for newly created Key Vaults with API version 2026-02-01 and later, replacing or complementing traditional access policies. Existing vaults retain their current model unless updated. Mixing RBAC and access policies can lead to unexpected permission behaviors.","severity":"breaking","affected_versions":"New Key Vaults created with Azure Key Vault API version 2026-02-01 or later, and potentially existing vaults undergoing migration."},{"fix":"Carefully review and grant the necessary permissions for 'certificates', 'keys', and 'secrets' within your Key Vault access policies or Azure RBAC role assignments to the identity accessing the vault. Use specific permissions required for operations instead of overly broad ones.","message":"Common 'Access Denied' (403 Forbidden) errors often stem from insufficient permissions. A Key Vault certificate is composed of three interconnected objects: the certificate itself, an underlying key, and a secret. Access policies/RBAC roles must grant appropriate permissions to all three components (e.g., `certificates/get`, `keys/get`, `secrets/get`) for full functionality.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Implement expiry alerts for certificates and enable auto-rotation for certificates issued by Key Vault's integrated Certificate Authorities. Ensure domain validation and CA integration credentials remain valid for auto-renewal. Regularly monitor certificate lifecycles.","message":"Applications may fail unexpectedly due to expired certificates. While Key Vault supports auto-rotation, it needs proper configuration and monitoring.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Implement caching mechanisms for certificates in your application's memory or a secure, fast-access store. Retrieve certificates once at application startup or on a periodic basis, rather than on every request.","message":"Frequent requests to Key Vault (e.g., retrieving certificates on every API call) can lead to service throttling (HTTP 429 Too Many Requests) due to rate limits. Key Vault is not designed as a runtime database.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Verify that your certificate file is in the correct format (PFX or PEM, including the private key). Ensure proper encoding and line endings for PEM files. Use tools like OpenSSL to check or convert certificate formats if necessary. Specify `content_type` as 'application/x-pem-file' for PEM imports.","message":"Importing certificates (PFX/PKCS#12 or PEM formats) can fail due to incorrect file format, missing private keys, or content type mismatches. PEM files must contain both the certificate and the private key.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Avoid pinning to specific certificate versions or fingerprints in your applications. Instead, retrieve the latest version of a certificate using its unversioned Key Vault URI to ensure your application always uses the current, active certificate. Configure monitoring for certificate version changes.","message":"If certificate auto-rotation is enabled or a certificate's policy is updated, Key Vault will automatically generate new versions of certificates, potentially deprecating older ones. Services that pin to specific certificate fingerprints (e.g., for security reasons) will break when a new version is issued.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-05T00:00:00.000Z","next_check":"2026-07-04T00:00:00.000Z"}