Share via


az keyvault certificate

Manage certificates.

Commands

Name Description Type Status
az keyvault certificate backup

Backs up the specified certificate.

Core GA
az keyvault certificate contact

Manage contacts for certificate management.

Core GA
az keyvault certificate contact add

Add a contact to the specified vault to receive notifications of certificate operations.

Core GA
az keyvault certificate contact delete

Remove a certificate contact from the specified vault.

Core GA
az keyvault certificate contact list

Lists the certificate contacts for a specified key vault.

Core GA
az keyvault certificate create

Create a Key Vault certificate.

Core GA
az keyvault certificate delete

Deletes a certificate from a specified key vault.

Core Deprecated
az keyvault certificate download

Download the public portion of a Key Vault certificate.

Core GA
az keyvault certificate get-default-policy

Get the default policy for self-signed certificates.

Core GA
az keyvault certificate import

Import a certificate into KeyVault.

Core GA
az keyvault certificate issuer

Manage certificate issuer information.

Core GA
az keyvault certificate issuer admin

Manage admin information for certificate issuers.

Core GA
az keyvault certificate issuer admin add

Add admin details for a specified certificate issuer.

Core GA
az keyvault certificate issuer admin delete

Remove admin details for the specified certificate issuer.

Core GA
az keyvault certificate issuer admin list

List admins for a specified certificate issuer.

Core GA
az keyvault certificate issuer create

Create a certificate issuer record.

Core GA
az keyvault certificate issuer delete

Deletes the specified certificate issuer.

Core GA
az keyvault certificate issuer list

Lists properties of the certificate issuers for the key vault.

Core GA
az keyvault certificate issuer show

Gets the specified certificate issuer.

Core GA
az keyvault certificate issuer update

Update a certificate issuer record.

Core GA
az keyvault certificate list

List certificates in a specified key vault.

Core GA
az keyvault certificate list-deleted

Lists the currently-recoverable deleted certificates.

Core GA
az keyvault certificate list-versions

List the versions of a certificate.

Core GA
az keyvault certificate pending

Manage pending certificate creation operations.

Core GA
az keyvault certificate pending delete

Deletes the creation operation for a specific certificate.

Core GA
az keyvault certificate pending merge

Merges a certificate or a certificate chain with a key pair existing on the server.

Core GA
az keyvault certificate pending show

Gets the creation operation of a certificate.

Core GA
az keyvault certificate purge

Permanently deletes the specified deleted certificate.

Core GA
az keyvault certificate recover

Recover a deleted certificate to its latest version.

Core GA
az keyvault certificate restore

Restores a backed up certificate to a vault.

Core GA
az keyvault certificate set-attributes

Updates the specified attributes associated with the given certificate.

Core GA
az keyvault certificate show

Gets information about a certificate.

Core GA
az keyvault certificate show-deleted

Get a deleted certificate.

Core GA

az keyvault certificate backup

Backs up the specified certificate.

Requests that a backup of the specified certificate be downloaded to the client. All versions of the certificate will be downloaded. This operation requires the certificates/backup permission.

az keyvault certificate backup --file
                               [--id]
                               [--name]
                               [--vault-name]

Required Parameters

--file -f

Local file path in which to store certificate backup.

Optional Parameters

--id

Id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate create

Create a Key Vault certificate.

Certificates can be used as a secrets for provisioned virtual machines.

az keyvault certificate create --name
                               --policy
                               --vault-name
                               [--disabled {false, true}]
                               [--tags]
                               [--validity]

Examples

Create a self-signed certificate with the default policy and add it to a virtual machine.

az keyvault certificate create --vault-name vaultname -n cert1 \
  -p "$(az keyvault certificate get-default-policy)"

secrets=$(az keyvault secret list-versions --vault-name vaultname \
  -n cert1 --query "[?attributes.enabled].id" -o tsv)

vm_secrets=$(az vm secret format -s "$secrets")

az vm create -g group-name -n vm-name --admin-username deploy  \
  --image Debian11 --secrets "$vm_secrets"

Required Parameters

--name -n

Name of the certificate.

--policy -p

JSON encoded policy definition. Use @{file} to load from a file(e.g. @my_policy.json).

--vault-name

Name of the Vault.

Optional Parameters

--disabled

Create certificate in disabled state.

Accepted values: false, true
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--validity

Number of months the certificate is valid for. Overrides the value specified with --policy/-p.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate delete

Deprecated

Warning! If you have soft-delete protection enabled on this key vault, this certificate will be moved to the soft deleted state. You will not be able to create a certificate with the same name within this key vault until the certificate has been purged from the soft-deleted state. Please see the following documentation for additional guidance. https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview

Deletes a certificate from a specified key vault.

Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.

az keyvault certificate delete [--id]
                               [--name]
                               [--vault-name]

Optional Parameters

--id

Id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate download

Download the public portion of a Key Vault certificate.

The certificate formatted as either PEM or DER. PEM is the default.

az keyvault certificate download --file
                                 [--encoding {DER, PEM}]
                                 [--id]
                                 [--name]
                                 [--vault-name]
                                 [--version]

Examples

Download a certificate as PEM and check its fingerprint in openssl.

az keyvault certificate download --vault-name vault -n cert-name -f cert.pem && \
openssl x509 -in cert.pem -inform PEM  -noout -sha1 -fingerprint

Download a certificate as DER and check its fingerprint in openssl.

az keyvault certificate download --vault-name vault -n cert-name -f cert.crt -e DER && \
openssl x509 -in cert.crt -inform DER  -noout -sha1 -fingerprint

Required Parameters

--file -f

File to receive the binary certificate contents.

Optional Parameters

--encoding -e

Encoding of the certificate. DER will create a binary DER formatted x509 certificate, and PEM will create a base64 PEM x509 certificate.

Accepted values: DER, PEM
Default value: PEM
--id

Id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The certificate version. If omitted, uses the latest version.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate get-default-policy

Get the default policy for self-signed certificates.

This default policy can be used in conjunction with az keyvault create to create a self-signed certificate. The default policy can also be used as a starting point to create derivative policies.

For more details, see: https://docs.microsoft.com/azure/key-vault/certificates/about-certificates#certificate-policy.

az keyvault certificate get-default-policy [--scaffold]

Examples

Create a self-signed certificate with the default policy

az keyvault certificate create --vault-name vaultname -n cert1 \
  -p "$(az keyvault certificate get-default-policy)"

Optional Parameters

--scaffold

Create a fully formed policy structure with default values.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate import

Import a certificate into KeyVault.

Certificates can also be used as a secrets in provisioned virtual machines.

az keyvault certificate import --file
                               --name
                               --vault-name
                               [--disabled {false, true}]
                               [--password]
                               [--policy]
                               [--tags]

Examples

Create a service principal with a certificate, add the certificate to Key Vault and provision a VM with that certificate.

service_principal=$(az ad sp create-for-rbac --create-cert)

cert_file=$(echo $service_principal | jq .fileWithCertAndPrivateKey -r)

az keyvault create -g my-group -n vaultname

az keyvault certificate import --vault-name vaultname -n cert_name -f cert_file

secrets=$(az keyvault secret list-versions --vault-name vaultname \
  -n cert1 --query "[?attributes.enabled].id" -o tsv)

vm_secrets=$(az vm secret format -s "$secrets")

az vm create -g group-name -n vm-name --admin-username deploy  \
  --image Debian11 --secrets "$vm_secrets"

Required Parameters

--file -f

PKCS12 file or PEM file containing the certificate and private key.

--name -n

Name of the certificate.

--vault-name

Name of the Vault.

Optional Parameters

--disabled

Import the certificate in disabled state.

Accepted values: false, true
--password

If the private key in certificate is encrypted, the password used for encryption.

--policy -p

JSON encoded policy definition. Use @{file} to load from a file(e.g. @my_policy.json).

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate list

List certificates in a specified key vault.

The GetCertificates operation returns the set of certificates resources in the specified key vault. This operation requires the certificates/list permission.

az keyvault certificate list [--id]
                             [--include-pending {false, true}]
                             [--maxresults]
                             [--vault-name]

Optional Parameters

--id

Full URI of the Vault. If specified all other 'Id' arguments should be omitted.

--include-pending

Specifies whether to include certificates which are not completely provisioned.

Accepted values: false, true
--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate list-deleted

Lists the currently-recoverable deleted certificates.

Possible only if vault is soft-delete enabled. Requires certificates/get/list permission. Retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information.

az keyvault certificate list-deleted [--id]
                                     [--include-pending {false, true}]
                                     [--maxresults]
                                     [--vault-name]

Optional Parameters

--id

Full URI of the Vault. If specified all other 'Id' arguments should be omitted.

--include-pending

Specifies whether to include certificates which are not completely provisioned.

Accepted values: false, true
--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate list-versions

List the versions of a certificate.

The GetCertificateVersions operation returns the versions of a certificate in the specified key vault. This operation requires the certificates/list permission.

az keyvault certificate list-versions [--id]
                                      [--maxresults]
                                      [--name]
                                      [--vault-name]

Optional Parameters

--id

Id of the certificate. If specified all other 'Id' arguments should be omitted.

--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate purge

Permanently deletes the specified deleted certificate.

The PurgeDeletedCertificate operation performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specify 'Purgeable'. This operation requires the certificate/purge permission.

az keyvault certificate purge [--id]
                              [--name]
                              [--vault-name]

Optional Parameters

--id

The recovery id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate recover

Recover a deleted certificate to its latest version.

Possible only in a vault with soft-delete enabled. Requires certificates/recover permission. When this method returns Key Vault has begun recovering the certificate. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered certificate in another operation immediately.

az keyvault certificate recover [--id]
                                [--name]
                                [--vault-name]

Optional Parameters

--id

The recovery id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate restore

Restores a backed up certificate to a vault.

Restores a backed up certificate, and all its versions, to a vault. This operation requires the certificates/restore permission.

az keyvault certificate restore --file
                                [--vault-name]

Required Parameters

--file -f

Local certificate backup from which to restore certificate.

Optional Parameters

--vault-name

Name of the Key Vault.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate set-attributes

Updates the specified attributes associated with the given certificate.

The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate's attributes. This operation requires the certificates/update permission.

az keyvault certificate set-attributes [--enabled {false, true}]
                                       [--id]
                                       [--name]
                                       [--policy]
                                       [--tags]
                                       [--vault-name]
                                       [--version]

Optional Parameters

--enabled

Enable the certificate.

Accepted values: false, true
--id

Id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--policy -p

JSON encoded policy definition. Use @{file} to load from a file(e.g. @my_policy.json).

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The certificate version. If omitted, uses the latest version.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate show

Gets information about a certificate.

Gets information about a specific certificate. This operation requires the certificates/get permission.

az keyvault certificate show [--id]
                             [--name]
                             [--vault-name]
                             [--version]

Optional Parameters

--id

Id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The certificate version. If omitted, uses the latest version.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault certificate show-deleted

Get a deleted certificate.

Possible only in a vault with soft-delete enabled. Requires certificates/get permission. Retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion, and the current deletion recovery level.

az keyvault certificate show-deleted [--id]
                                     [--name]
                                     [--vault-name]

Optional Parameters

--id

The recovery id of the certificate. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the certificate. Required if --id is not specified.

--vault-name

Name of the Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.