Azure Key Vault Certificates Client Library for Python

4.10.0 · active · verified Sun Apr 05

The Azure Key Vault Certificates client library for Python allows developers to manage X.509 certificates in Azure Key Vault. It provides capabilities to create, retrieve, update, and delete certificates, as well as manage certificate issuers, contacts, and policies. Azure Key Vault is a cloud service for securely storing and managing secrets, keys, and certificates. This library is part of the Azure SDK for Python and is currently at version 4.10.0, with active development and regular updates.

Warnings

breaking Azure RBAC (Role-Based Access Control) is now the default access control model for newly created Key Vaults with API version 2026-02-01 and later, replacing or complementing traditional access policies. Existing vaults retain their current model unless updated. Mixing RBAC and access policies can lead to unexpected permission behaviors.
Fix: For new Key Vaults, configure permissions using Azure RBAC roles (e.g., 'Key Vault Certificate Officer'). For existing vaults, consider migrating to Azure RBAC for consistent identity and access management. Choose one model (RBAC is recommended) and avoid mixing.
gotcha Common 'Access Denied' (403 Forbidden) errors often stem from insufficient permissions. A Key Vault certificate is composed of three interconnected objects: the certificate itself, an underlying key, and a secret. Access policies/RBAC roles must grant appropriate permissions to all three components (e.g., `certificates/get`, `keys/get`, `secrets/get`) for full functionality.
Fix: Carefully review and grant the necessary permissions for 'certificates', 'keys', and 'secrets' within your Key Vault access policies or Azure RBAC role assignments to the identity accessing the vault. Use specific permissions required for operations instead of overly broad ones.
gotcha Applications may fail unexpectedly due to expired certificates. While Key Vault supports auto-rotation, it needs proper configuration and monitoring.
Fix: Implement expiry alerts for certificates and enable auto-rotation for certificates issued by Key Vault's integrated Certificate Authorities. Ensure domain validation and CA integration credentials remain valid for auto-renewal. Regularly monitor certificate lifecycles.
gotcha Frequent requests to Key Vault (e.g., retrieving certificates on every API call) can lead to service throttling (HTTP 429 Too Many Requests) due to rate limits. Key Vault is not designed as a runtime database.
Fix: Implement caching mechanisms for certificates in your application's memory or a secure, fast-access store. Retrieve certificates once at application startup or on a periodic basis, rather than on every request.
gotcha Importing certificates (PFX/PKCS#12 or PEM formats) can fail due to incorrect file format, missing private keys, or content type mismatches. PEM files must contain both the certificate and the private key.
Fix: Verify that your certificate file is in the correct format (PFX or PEM, including the private key). Ensure proper encoding and line endings for PEM files. Use tools like OpenSSL to check or convert certificate formats if necessary. Specify `content_type` as 'application/x-pem-file' for PEM imports.
gotcha If certificate auto-rotation is enabled or a certificate's policy is updated, Key Vault will automatically generate new versions of certificates, potentially deprecating older ones. Services that pin to specific certificate fingerprints (e.g., for security reasons) will break when a new version is issued.
Fix: Avoid pinning to specific certificate versions or fingerprints in your applications. Instead, retrieve the latest version of a certificate using its unversioned Key Vault URI to ensure your application always uses the current, active certificate. Configure monitoring for certificate version changes.

Install

pip install azure-keyvault-certificates azure-identity Install with pip

Imports

CertificateClient

from azure.keyvault.certificates import CertificateClient

CertificatePolicy

from azure.keyvault.certificates import CertificatePolicy

DefaultAzureCredential
```
from azure.identity import DefaultAzureCredential
```
Used for authenticating to Azure services; typically provided by `azure-identity`.

Quickstart

This quickstart demonstrates how to authenticate with Azure Key Vault using `DefaultAzureCredential` and perform basic operations: creating a self-signed certificate, retrieving it, and then deleting it. Ensure you have an Azure subscription, an existing Azure Key Vault, and are logged into Azure CLI (`az login`) or have appropriate environment variables set for authentication. Replace 'YOUR_KEY_VAULT_NAME' or set the `AZURE_KEYVAULT_NAME` environment variable.

import os
from azure.keyvault.certificates import CertificateClient, CertificatePolicy
from azure.identity import DefaultAzureCredential

# Set your Key Vault name and certificate name as environment variables or replace directly.
# For local development, ensure you are logged in via Azure CLI (az login).
keyvault_name = os.environ.get('AZURE_KEYVAULT_NAME', 'YOUR_KEY_VAULT_NAME')
certificate_name = 'MySampleCertificate'

# Construct the Key Vault URL
vault_url = f"https://{keyvault_name}.vault.azure.net"

# Authenticate using DefaultAzureCredential
# This credential type is suitable for local development and managed identity in production.
credential = DefaultAzureCredential()

# Create a CertificateClient
certificate_client = CertificateClient(vault_url=vault_url, credential=credential)

async def manage_certificate():
    print(f"Creating a self-signed certificate '{certificate_name}' in {keyvault_name}...")
    # Create a certificate policy for a self-signed certificate
    policy = CertificatePolicy.create_self_signed(
        subject="CN=www.contoso.com",
        issuer_name="Self",
        validity_in_months=12
    )

    # Begin creating the certificate - this is a long-running operation
    poller = await certificate_client.begin_create_certificate(certificate_name, policy)
    
    # Wait for the certificate creation to complete
    created_certificate = await poller.result()
    print(f"Certificate '{created_certificate.name}' created with thumbprint: {created_certificate.properties.x509_thumbprint}")

    print(f"Retrieving certificate '{certificate_name}'...")
    retrieved_certificate = await certificate_client.get_certificate(certificate_name)
    print(f"Retrieved certificate version: {retrieved_certificate.properties.version}")

    print(f"Deleting certificate '{certificate_name}'...")
    # Begin deleting the certificate - this is a long-running operation
    delete_poller = await certificate_client.begin_delete_certificate(certificate_name)
    await delete_poller.wait()
    print(f"Certificate '{certificate_name}' deleted.")

    # Don't forget to close the credential and client when done (especially for async)
    await certificate_client.close()
    await credential.close()

# Example of how to run the async function
import asyncio
if __name__ == '__main__':
    # Make sure to set AZURE_KEYVAULT_NAME environment variable
    # e.g., export AZURE_KEYVAULT_NAME="my-unique-vault-name"
    # And login via Azure CLI: az login
    asyncio.run(manage_certificate())

view raw JSON →