Recover Deleted Certificate - Recover Deleted Certificate

Recovers the deleted certificate back to its current version under /certificates.
The RecoverDeletedCertificate operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate's attributes). This operation requires the certificates/recover permission.

POST {vaultBaseUrl}/deletedcertificates/{certificate-name}/recover?api-version=7.4

URI Parameters

Name In Required Type Description
certificate-name
path True

string

The name of the deleted certificate

vaultBaseUrl
path True

string

The vault name, for example https://myvault.vault.azure.net.

api-version
query True

string

Client API version.

Responses

Name Type Description
200 OK

CertificateBundle

A Certificate bundle of the original certificate and its attributes

Other Status Codes

KeyVaultError

Key Vault error response describing why the operation failed.

Examples

RecoverDeletedCertificate

Sample request

POST https://myvault.vault.azure.net//deletedcertificates/CertCreateDeleteRecoverPurgeTest/recover?api-version=7.4

Sample response

{
  "id": "https://myvault.vault.azure.net/certificates/CertCreateDeleteRecoverPurgeTest/9ff2572a2c3145679057da8b7f6a4b1d",
  "kid": "https://myvault.vault.azure.net/keys/CertCreateDeleteRecoverPurgeTest/9ff2572a2c3145679057da8b7f6a4b1d",
  "sid": "https://myvault.vault.azure.net/secrets/CertCreateDeleteRecoverPurgeTest/9ff2572a2c3145679057da8b7f6a4b1d",
  "x5t": "fLi3U52HunIVNXubkEnf8tP6Wbo",
  "cer": "MIICODCCAeagAwIBAgIQqHmpBAv+CY9IJFoUhlbziTAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTE1MDQyOTIxNTM0MVoXDTM5MTIzMTIzNTk1OVowFzEVMBMGA1UEAxMMS2V5VmF1bHRUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5bVAT73zr4+N4WVv2+SvTunAw08ksS4BrJW/nNliz3S9XuzMBMXvmYzU5HJ8TtEgluBiZZYd5qsMJD+OXHSNbsLdmMhni0jYX09h3XlC2VJw2sGKeYF+xEaavXm337aZZaZyjrFBrrUl51UePaN+kVFXNlBb3N3TYpqa7KokXenJQuR+i9Gv9a77c0UsSsDSryxppYhKK7HvTZCpKrhVtulF5iPMswWe9np3uggfMamyIsK/0L7X9w9B2qN7993RR0A00nOk4H6CnkuwO77dSsD0KJsk6FyAoZBzRXDZh9+d9R76zCL506NcQy/jl0lCiQYwsUX73PG5pxOh02OwKwIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAGqIjo2geVagzuzaZOe1ClGKhZeiCKfWAxklaGN+qlGUbVS4IN4V1lot3VKnzabasmkEHeNxPwLn1qvSD0cX9CE=",
  "attributes": {
    "enabled": true,
    "nbf": 1430344421,
    "exp": 2208988799,
    "created": 1493938486,
    "updated": 1493938486,
    "recoveryLevel": "Recoverable+Purgeable"
  },
  "policy": {
    "id": "https://myvault.vault.azure.net/certificates/CertCreateDeleteRecoverPurgeTest/policy",
    "key_props": {
      "exportable": true,
      "kty": "RSA",
      "key_size": 2048,
      "reuse_key": false
    },
    "secret_props": {
      "contentType": "application/x-pkcs12"
    },
    "x509_props": {
      "subject": "CN=KeyVaultTest",
      "ekus": [],
      "key_usage": [],
      "validity_months": 297
    },
    "lifetime_actions": [
      {
        "trigger": {
          "lifetime_percentage": 80
        },
        "action": {
          "action_type": "EmailContacts"
        }
      }
    ],
    "issuer": {
      "name": "Unknown"
    },
    "attributes": {
      "enabled": true,
      "created": 1493938486,
      "updated": 1493938486
    }
  }
}

Definitions

Name Description
Action

The action that will be executed.

CertificateAttributes

The certificate management attributes.

CertificateBundle

A certificate bundle consists of a certificate (X509) plus its attributes.

CertificatePolicy

Management policy for a certificate.

CertificatePolicyAction

The type of the action.

DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.

Error

The key vault server error.

IssuerParameters

Parameters for the issuer of the X509 component of a certificate.

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

JsonWebKeyType

The type of key pair to be used for the certificate.

KeyProperties

Properties of the key pair backing a certificate.

KeyUsageType

Defines how the certificate's key may be used.

KeyVaultError

The key vault error exception.

LifetimeAction

Action and its trigger that will be performed by Key Vault over the lifetime of a certificate.

SecretProperties

Properties of the key backing a certificate.

SubjectAlternativeNames

The subject alternate names of a X509 object.

Trigger

A condition to be satisfied for an action to be executed.

X509CertificateProperties

Properties of the X509 component of a certificate.

Action

The action that will be executed.

Name Type Description
action_type

CertificatePolicyAction

The type of the action.

CertificateAttributes

The certificate management attributes.

Name Type Description
created

integer

Creation time in UTC.

enabled

boolean

Determines whether the object is enabled.

exp

integer

Expiry date in UTC.

nbf

integer

Not before date in UTC.

recoverableDays

integer

softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0.

recoveryLevel

DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.

updated

integer

Last updated time in UTC.

CertificateBundle

A certificate bundle consists of a certificate (X509) plus its attributes.

Name Type Description
attributes

CertificateAttributes

The certificate attributes.

cer

string

CER contents of x509 certificate.

contentType

string

The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12',

id

string

The certificate id.

kid

string

The key id.

policy

CertificatePolicy

The management policy.

sid

string

The secret id.

tags

object

Application specific metadata in the form of key-value pairs

x5t

string

Thumbprint of the certificate.

CertificatePolicy

Management policy for a certificate.

Name Type Description
attributes

CertificateAttributes

The certificate attributes.

id

string

The certificate id.

issuer

IssuerParameters

Parameters for the issuer of the X509 component of a certificate.

key_props

KeyProperties

Properties of the key backing a certificate.

lifetime_actions

LifetimeAction[]

Actions that will be performed by Key Vault over the lifetime of a certificate.

secret_props

SecretProperties

Properties of the secret backing a certificate.

x509_props

X509CertificateProperties

Properties of the X509 component of a certificate.

CertificatePolicyAction

The type of the action.

Name Type Description
AutoRenew

string

EmailContacts

string

DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.

Name Type Description
CustomizedRecoverable

string

Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available.

CustomizedRecoverable+ProtectedSubscription

string

Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7<= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled.

CustomizedRecoverable+Purgeable

string

Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled.

Purgeable

string

Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.)

Recoverable

string

Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered

Recoverable+ProtectedSubscription

string

Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered

Recoverable+Purgeable

string

Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered

Error

The key vault server error.

Name Type Description
code

string

The error code.

innererror

Error

The key vault server error.

message

string

The error message.

IssuerParameters

Parameters for the issuer of the X509 component of a certificate.

Name Type Description
cert_transparency

boolean

Indicates if the certificates generated under this policy should be published to certificate transparency logs.

cty

string

Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL'

name

string

Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'.

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

Name Type Description
P-256

string

P-256K

string

P-384

string

P-521

string

JsonWebKeyType

The type of key pair to be used for the certificate.

Name Type Description
EC

string

EC-HSM

string

RSA

string

RSA-HSM

string

oct

string

oct-HSM

string

KeyProperties

Properties of the key pair backing a certificate.

Name Type Description
crv

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

exportable

boolean

Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key.

key_size

integer

The key size in bits. For example: 2048, 3072, or 4096 for RSA.

kty

JsonWebKeyType

The type of key pair to be used for the certificate.

reuse_key

boolean

Indicates if the same key pair will be used on certificate renewal.

KeyUsageType

Defines how the certificate's key may be used.

Name Type Description
cRLSign

string

dataEncipherment

string

decipherOnly

string

digitalSignature

string

encipherOnly

string

keyAgreement

string

keyCertSign

string

keyEncipherment

string

nonRepudiation

string

KeyVaultError

The key vault error exception.

Name Type Description
error

Error

The key vault server error.

LifetimeAction

Action and its trigger that will be performed by Key Vault over the lifetime of a certificate.

Name Type Description
action

Action

The action that will be executed.

trigger

Trigger

The condition that will execute the action.

SecretProperties

Properties of the key backing a certificate.

Name Type Description
contentType

string

The media type (MIME type).

SubjectAlternativeNames

The subject alternate names of a X509 object.

Name Type Description
dns_names

string[]

Domain names.

emails

string[]

Email addresses.

upns

string[]

User principal names.

Trigger

A condition to be satisfied for an action to be executed.

Name Type Description
days_before_expiry

integer

Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27).

lifetime_percentage

integer

Percentage of lifetime at which to trigger. Value should be between 1 and 99.

X509CertificateProperties

Properties of the X509 component of a certificate.

Name Type Description
ekus

string[]

The enhanced key usage.

key_usage

KeyUsageType[]

Defines how the certificate's key may be used.

sans

SubjectAlternativeNames

The subject alternative names.

subject

string

The subject name. Should be a valid X509 distinguished Name.

validity_months

integer

The duration that the certificate is valid in months.