az keyvault certificate
Manage certificates.
Commands
| az keyvault certificate backup |
Backs up the specified certificate. |
| az keyvault certificate contact |
Manage contacts for certificate management. |
| az keyvault certificate contact add |
Add a contact to the specified vault to receive notifications of certificate operations. |
| az keyvault certificate contact delete |
Remove a certificate contact from the specified vault. |
| az keyvault certificate contact list |
Lists the certificate contacts for a specified key vault. |
| az keyvault certificate create |
Create a Key Vault certificate. |
| az keyvault certificate delete |
Deletes a certificate from a specified key vault. |
| az keyvault certificate download |
Download the public portion of a Key Vault certificate. |
| az keyvault certificate get-default-policy |
Get the default policy for self-signed certificates. |
| az keyvault certificate import |
Import a certificate into KeyVault. |
| az keyvault certificate issuer |
Manage certificate issuer information. |
| az keyvault certificate issuer admin |
Manage admin information for certificate issuers. |
| az keyvault certificate issuer admin add |
Add admin details for a specified certificate issuer. |
| az keyvault certificate issuer admin delete |
Remove admin details for the specified certificate issuer. |
| az keyvault certificate issuer admin list |
List admins for a specified certificate issuer. |
| az keyvault certificate issuer create |
Create a certificate issuer record. |
| az keyvault certificate issuer delete |
Deletes the specified certificate issuer. |
| az keyvault certificate issuer list |
List certificate issuers for a specified key vault. |
| az keyvault certificate issuer show |
Lists the specified certificate issuer. |
| az keyvault certificate issuer update |
Update a certificate issuer record. |
| az keyvault certificate list |
List certificates in a specified key vault. |
| az keyvault certificate list-deleted |
Lists the deleted certificates in the specified vault currently available for recovery. |
| az keyvault certificate list-versions |
List the versions of a certificate. |
| az keyvault certificate pending |
Manage pending certificate creation operations. |
| az keyvault certificate pending delete |
Deletes the creation operation for a specific certificate. |
| az keyvault certificate pending merge |
Merges a certificate or a certificate chain with a key pair existing on the server. |
| az keyvault certificate pending show |
Gets the creation operation of a certificate. |
| az keyvault certificate purge |
Permanently deletes the specified deleted certificate. |
| az keyvault certificate recover |
Recovers the deleted certificate back to its current version under /certificates. |
| az keyvault certificate restore |
Restores a backed up certificate to a vault. |
| az keyvault certificate set-attributes |
Updates the specified attributes associated with the given certificate. |
| az keyvault certificate show |
Gets information about a certificate. |
| az keyvault certificate show-deleted |
Retrieves information about the specified deleted certificate. |
az keyvault certificate backup
Backs up the specified certificate.
Requests that a backup of the specified certificate be downloaded to the client. All versions of the certificate will be downloaded. This operation requires the certificates/backup permission.
az keyvault certificate backup --file
[--id]
[--name]
[--vault-name]Required Parameters
Local file path in which to store certificate backup.
Optional Parameters
Id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate create
Create a Key Vault certificate.
Certificates can be used as a secrets for provisioned virtual machines.
az keyvault certificate create --name
--policy
--vault-name
[--disabled {false, true}]
[--tags]
[--validity]Examples
Create a self-signed certificate with the default policy and add it to a virtual machine.
az keyvault certificate create --vault-name vaultname -n cert1 \
-p "$(az keyvault certificate get-default-policy)"
secrets=$(az keyvault secret list-versions --vault-name vaultname \
-n cert1 --query "[?attributes.enabled].id" -o tsv)
vm_secrets=$(az vm secret format -s "$secrets")
az vm create -g group-name -n vm-name --admin-username deploy \
--image debian --secrets "$vm_secrets"Required Parameters
Name of the certificate.
JSON encoded policy definition. Use @{file} to load from a file(e.g. @my_policy.json).
Name of the Vault.
Optional Parameters
Create certificate in disabled state.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Number of months the certificate is valid for. Overrides the value specified with --policy/-p.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate delete
Deletes a certificate from a specified key vault.
Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.
az keyvault certificate delete [--id]
[--name]
[--vault-name]Optional Parameters
Id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate download
Download the public portion of a Key Vault certificate.
The certificate formatted as either PEM or DER. PEM is the default.
az keyvault certificate download --file
[--encoding {DER, PEM}]
[--id]
[--name]
[--vault-name]
[--version]Examples
Download a certificate as PEM and check its fingerprint in openssl.
az keyvault certificate download --vault-name vault -n cert-name -f cert.pem && \
openssl x509 -in cert.pem -inform PEM -noout -sha1 -fingerprintDownload a certificate as DER and check its fingerprint in openssl.
az keyvault certificate download --vault-name vault -n cert-name -f cert.crt -e DER && \
openssl x509 -in cert.crt -inform DER -noout -sha1 -fingerprintRequired Parameters
File to receive the binary certificate contents.
Optional Parameters
Encoding of the certificate. DER will create a binary DER formatted x509 certificate, and PEM will create a base64 PEM x509 certificate.
Id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
The certificate version. If omitted, uses the latest version.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate get-default-policy
Get the default policy for self-signed certificates.
This default policy can be used in conjunction with az keyvault create to create a self-signed certificate.
The default policy can also be used as a starting point to create derivative policies.
For more details, see: https://docs.microsoft.com/azure/key-vault/certificates/about-certificates#certificate-policy.
az keyvault certificate get-default-policy [--scaffold]Examples
Create a self-signed certificate with the default policy
az keyvault certificate create --vault-name vaultname -n cert1 \
-p "$(az keyvault certificate get-default-policy)"Optional Parameters
Create a fully formed policy structure with default values.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate import
Import a certificate into KeyVault.
Certificates can also be used as a secrets in provisioned virtual machines.
az keyvault certificate import --file
--name
--vault-name
[--disabled {false, true}]
[--password]
[--policy]
[--tags]Examples
Create a service principal with a certificate, add the certificate to Key Vault and provision a VM with that certificate.
service_principal=$(az ad sp create-for-rbac --create-cert)
cert_file=$(echo $service_principal | jq .fileWithCertAndPrivateKey -r)
az keyvault create -g my-group -n vaultname
az keyvault certificate import --vault-name vaultname -n cert_name -f cert_file
secrets=$(az keyvault secret list-versions --vault-name vaultname \
-n cert1 --query "[?attributes.enabled].id" -o tsv)
vm_secrets=$(az vm secret format -s "$secrets")
az vm create -g group-name -n vm-name --admin-username deploy \
--image debian --secrets "$vm_secrets"Required Parameters
PKCS12 file or PEM file containing the certificate and private key.
Name of the certificate.
Name of the Vault.
Optional Parameters
Import the certificate in disabled state.
If the private key in certificate is encrypted, the password used for encryption.
JSON encoded policy definition. Use @{file} to load from a file(e.g. @my_policy.json).
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate list
List certificates in a specified key vault.
The GetCertificates operation returns the set of certificates resources in the specified key vault. This operation requires the certificates/list permission.
az keyvault certificate list [--id]
[--include-pending {false, true}]
[--maxresults]
[--vault-name]Optional Parameters
Full URI of the Vault or HSM. If specified all other 'Id' arguments should be omitted.
Specifies whether to include certificates which are not completely provisioned.
Maximum number of results to return in a page. If not specified the service will return up to 25 results.
Name of the Key Vault. Required if --id is not specified.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate list-deleted
Lists the deleted certificates in the specified vault currently available for recovery.
The GetDeletedCertificates operation retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.
az keyvault certificate list-deleted --vault-name
[--id]
[--include-pending {false, true}]
[--maxresults]Required Parameters
Name of the Vault.
Optional Parameters
Full URI of the Vault. If specified all other 'Id' arguments should be omitted.
Specifies whether to include certificates which are not completely provisioned.
Maximum number of results to return in a page. If not specified the service will return up to 25 results.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate list-versions
List the versions of a certificate.
The GetCertificateVersions operation returns the versions of a certificate in the specified key vault. This operation requires the certificates/list permission.
az keyvault certificate list-versions [--id]
[--maxresults]
[--name]
[--vault-name]Optional Parameters
Id of the certificate. If specified all other 'Id' arguments should be omitted.
Maximum number of results to return in a page. If not specified the service will return up to 25 results.
Name of the certificate. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate purge
Permanently deletes the specified deleted certificate.
The PurgeDeletedCertificate operation performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specify 'Purgeable'. This operation requires the certificate/purge permission.
az keyvault certificate purge [--id]
[--name]
[--vault-name]Optional Parameters
The recovery id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate recover
Recovers the deleted certificate back to its current version under /certificates.
The RecoverDeletedCertificate operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate's attributes). This operation requires the certificates/recover permission.
az keyvault certificate recover [--id]
[--name]
[--vault-name]Optional Parameters
The recovery id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate restore
Restores a backed up certificate to a vault.
Restores a backed up certificate, and all its versions, to a vault. This operation requires the certificates/restore permission.
az keyvault certificate restore --file
--vault-nameRequired Parameters
Local certificate backup from which to restore certificate.
Name of the Vault.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate set-attributes
Updates the specified attributes associated with the given certificate.
The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate's attributes. This operation requires the certificates/update permission.
az keyvault certificate set-attributes [--enabled {false, true}]
[--id]
[--name]
[--policy]
[--tags]
[--vault-name]
[--version]Optional Parameters
Enable the certificate.
Id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
JSON encoded policy definition. Use @{file} to load from a file(e.g. @my_policy.json).
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Name of the Key Vault. Required if --id is not specified.
The certificate version. If omitted, uses the latest version.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate show
Gets information about a certificate.
Gets information about a specific certificate. This operation requires the certificates/get permission.
az keyvault certificate show [--id]
[--name]
[--vault-name]
[--version]Optional Parameters
Id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
The certificate version. If omitted, uses the latest version.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault certificate show-deleted
Retrieves information about the specified deleted certificate.
The GetDeletedCertificate operation retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion and the current deletion recovery level. This operation requires the certificates/get permission.
az keyvault certificate show-deleted [--id]
[--name]
[--vault-name]Optional Parameters
The recovery id of the certificate. If specified all other 'Id' arguments should be omitted.
Name of the certificate. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Submit and view feedback for