1# ------------------------------------
2# Copyright (c) Microsoft Corporation.
3# Licensed under the MIT License.
4# ------------------------------------
5import os
6from azure.identity import DefaultAzureCredential
7from azure.keyvault.certificates import CertificateClient, CertificatePolicy, CertificateContentType, WellKnownIssuerNames
8from azure.core.exceptions import HttpResponseError
9
10# ----------------------------------------------------------------------------------------------------------
11# Prerequisites:
12# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli)
13#
14# 2. azure-keyvault-certificates and azure-identity packages (pip install these)
15#
16# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL. (See
17#    https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-certificates#authenticate-the-client)
18#
19# ----------------------------------------------------------------------------------------------------------
20# Sample - demonstrates the basic CRUD operations on a vault(certificate) resource for Azure Key Vault
21#
22# 1. Create a new certificate (begin_create_certificate)
23#
24# 2. Get an existing certificate (get_certificate)
25#
26# 3. Update an existing certificate (update_certificate)
27#
28# 4. Delete a certificate (begin_delete_certificate)
29#
30# ----------------------------------------------------------------------------------------------------------
31
32# Instantiate a certificate client that will be used to call the service.
33# Notice that the client is using default Azure credentials.
34# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
35# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
36VAULT_URL = os.environ["VAULT_URL"]
37credential = DefaultAzureCredential()
38client = CertificateClient(vault_url=VAULT_URL, credential=credential)
39try:
40    # Let's create a certificate for holding bank account credentials valid for 1 year.
41    # if the certificate already exists in the Key Vault, then a new version of the certificate is created.
42    print("\n.. Create certificate")
43
44    # Before creating your certificate, let's create the management policy for your certificate.
45    # Here you specify the properties of the key, secret, and issuer backing your certificate,
46    # the X509 component of your certificate, and any lifetime actions you would like to be taken
47    # on your certificate
48
49    # Alternatively, if you would like to use our default policy, use CertificatePolicy.get_default()
50    cert_policy = CertificatePolicy(
51        issuer_name=WellKnownIssuerNames.self,
52        subject="CN=*.microsoft.com",
53        san_dns_names=["sdk.azure-int.net"],
54        exportable=True,
55        key_type="RSA",
56        key_size=2048,
57        reuse_key=False,
58        content_type=CertificateContentType.pkcs12,
59        validity_in_months=24,
60    )
61    cert_name = "HelloWorldCertificate"
62
63    # begin_create_certificate returns a poller. Calling result() on the poller will return the certificate
64    # as a KeyVaultCertificate if creation is successful, and the CertificateOperation if not. The wait()
65    # call on the poller will wait until the long running operation is complete.
66    certificate = client.begin_create_certificate(
67        certificate_name=cert_name, policy=cert_policy
68    ).result()
69    print("Certificate with name '{0}' created".format(certificate.name))
70
71    # Let's get the bank certificate using its name
72    print("\n.. Get a certificate by name")
73    bank_certificate = client.get_certificate(cert_name)
74    print("Certificate with name '{0}' was found'.".format(bank_certificate.name))
75
76    # After one year, the bank account is still active, and we have decided to update the tags.
77    print("\n.. Update a certificate by name")
78    tags = {"a": "b"}
79    updated_certificate = client.update_certificate_properties(
80        certificate_name=bank_certificate.name, tags=tags
81    )
82    print(
83        "Certificate with name '{0}' was updated on date '{1}'".format(
84            bank_certificate.name, updated_certificate.properties.updated_on
85        )
86    )
87    print(
88        "Certificate with name '{0}' was updated with tags '{1}'".format(
89            bank_certificate.name, updated_certificate.properties.tags
90        )
91    )
92
93    # The bank account was closed, need to delete its credentials from the Key Vault.
94    print("\n.. Delete certificate")
95    deleted_certificate = client.begin_delete_certificate(bank_certificate.name).result()
96    print("Certificate with name '{0}' was deleted.".format(deleted_certificate.name))
97
98except HttpResponseError as e:
99    print("\nrun_sample has caught an error. {0}".format(e.message))
100
101finally:
102    print("\nrun_sample done")
103