Certificate Access Control

Access control for certificates is managed by Key Vault, and is provided by the Key Vault that contains those certificates. The access control policy for certificates is distinct from the access control policies for keys and secrets in the same Key Vault. Users may create one or more vaults to hold certificates, to maintain scenario appropriate segmentation and management of certificates.

The following permissions can be used, on a per-principal basis, in the secrets access control entry on a key vault, and closely mirrors the operations allowed on a secret object:

  • Permissions for certificate management operations

    • get: Get the current certificate version, or any version of a certificate
    • list: List the current certificates, or versions of a certificate
    • update: Update a certificate
    • create: Create a Key Vault certificate
    • import: Import certificate material into a Key Vault certificate
    • delete: Delete a certificate, its policy, and all of its versions
    • recover: Recover a deleted certificate
    • backup: Backup a certificate in a key vault
    • restore: Restore a backed-up certificate to a key vault
    • managecontacts: Manage Key Vault certificate contacts
    • manageissuers: Manage Key Vault certificate authorities/issuers
    • getissuers: Get a certificate's authorities/issuers
    • listissuers: List a certificate's authorities/issuers
    • setissuers: Create or update a Key Vault certificate's authorities/issuers
    • deleteissuers: Delete a Key Vault certificate's authorities/issuers
  • Permissions for privileged operations

    • purge: Purge (permanently delete) a deleted certificate

For more information, see the Certificate operations in the Key Vault REST API reference. For information on establishing permissions, see Vaults - Update Access Policy.


You may see error due to missing access policy. For example Error type : Access denied or user is unauthorized to create certificate To resolve this error, you would need to add certificates/create permission.

Next steps