Microsoft.KeyVault (preview:7.6.2)

2025/02/04 • 99 new methods

FullBackup (new)

Description	: Creates a full backup using a user-provided SAS token to an Azure blob storage container.
Reference	: Link ¶

⚼ Request

POST: /backup

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

azureStorageBlobContainerUri:

{

Description: Azure blob shared access signature token pointing to a valid Azure blob container where full backup needs to be stored. This token needs to be valid for at least next 24 hours from the time of making this call. ,

Required: True ,

}

{

storageResourceUri:

{

Description: Azure Blob storage container Uri ,

Required: True ,

}

string ,

token:

{

Description: The SAS token pointing to an Azure Blob storage container ,

Required: False ,

}

string ,

useManagedIdentity:

{

Description: Indicates which authentication method should be used. If set to true, Managed HSM will use the configured user-assigned managed identity to authenticate with Azure Storage. Otherwise, a SAS token has to be specified. ,

Required: False ,

}

boolean ,

}

⚐ Response (202)

{

$headers:

{

azure-asyncoperation:

{

Description: The URI to poll for completion status. ,

}

string ,

retry-after:

{

Description: The recommended number of seconds to wait before calling the URI specified in Azure-AsyncOperation. ,

}

integer ,

}

$schema:

{

Description: Full backup operation ,

}

{

status:

{

Description: Status of the backup operation. ,

Enum:

{

InProgress: The operation is in progress. ,

Succeeded: The operation successfully completed. ,

Canceled: The operation was canceled. ,

Failed: The operation failed. ,

}

Required: False ,

}

enum ,

statusDetails:

{

Description: The status details of backup operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the full backup operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

startTime:

{

Description: The start time of the backup operation in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

endTime:

{

Description: The end time of the backup operation in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

jobId:

{

Description: Identifier for the full backup operation. ,

Required: False ,

}

string ,

azureStorageBlobContainerUri:

{

Description: The Azure blob storage container Uri which contains the full backup ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

FullBackupStatus (new)

Description	: Returns the status of full backup operation
Reference	: Link ¶

⚼ Request

GET: /backup/{jobId}/pending

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

jobId:

{

Description: The id returned as part of the backup request ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

status:

{

Description: Status of the backup operation. ,

Enum:

{

InProgress: The operation is in progress. ,

Succeeded: The operation successfully completed. ,

Canceled: The operation was canceled. ,

Failed: The operation failed. ,

}

Required: False ,

}

enum ,

statusDetails:

{

Description: The status details of backup operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the full backup operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

startTime:

{

Description: The start time of the backup operation in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

endTime:

{

Description: The end time of the backup operation in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

jobId:

{

Description: Identifier for the full backup operation. ,

Required: False ,

}

string ,

azureStorageBlobContainerUri:

{

Description: The Azure blob storage container Uri which contains the full backup ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

SelectiveKeyRestoreOperation (new)

Description	: Restores all key versions of a given key using user supplied SAS token pointing to a previously stored Azure Blob storage backup folder
Reference	: Link ¶

⚼ Request

PUT: /keys/{keyName}/restore

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

keyName:

{

Description: The name of the key to be restored from the user supplied backup ,

Required: True ,

}

string ,

restoreBlobDetails:

{

Description: The Azure blob SAS token pointing to a folder where the previous successful full backup was stored ,

Required: True ,

}

{

sasTokenParameters:

{

Description: A user-provided SAS token to an Azure blob storage container. ,

Required: True ,

}

{

storageResourceUri:

{

Description: Azure Blob storage container Uri ,

Required: True ,

}

string ,

token:

{

Description: The SAS token pointing to an Azure Blob storage container ,

Required: False ,

}

string ,

useManagedIdentity:

{

Required: False ,

}

boolean ,

}

folder:

{

Description: The Folder name of the blob where the previous successful full backup was stored ,

Required: True ,

}

string ,

}

⚐ Response (202)

{

$headers:

{

azure-asyncoperation:

{

Description: The URI to poll for completion status. ,

}

string ,

retry-after:

{

Description: The recommended number of seconds to wait before calling the URI specified in Azure-AsyncOperation. ,

}

integer ,

}

$schema:

{

Description: Selective Key Restore operation ,

}

{

status:

{

Description: Status of the restore operation. ,

Enum:

{

InProgress: The operation is in progress. ,

Succeeded: The operation successfully completed. ,

Canceled: The operation was canceled. ,

Failed: The operation failed. ,

}

Required: False ,

}

enum ,

statusDetails:

{

Description: The status details of restore operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the selective key restore operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

jobId:

{

Description: Identifier for the selective key restore operation. ,

Required: False ,

}

string ,

startTime:

{

Description: The start time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

endTime:

{

Description: The end time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

PreFullBackup (new)

Description	: Pre-backup operation for checking whether the customer can perform a full backup operation.
Reference	: Link ¶

⚼ Request

POST: /prebackup

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

preBackupOperationParameters:

{

Description: Optional parameters to validate prior to performing a full backup operation. ,

Required: True ,

}

{

storageResourceUri:

{

Description: Azure Blob storage container Uri ,

Required: False ,

}

string ,

token:

{

Description: The SAS token pointing to an Azure Blob storage container ,

Required: False ,

}

string ,

useManagedIdentity:

{

Required: False ,

}

boolean ,

}

⚐ Response (202)

{

$headers:

{

azure-asyncoperation:

{

Description: The URI to poll for completion status. ,

}

string ,

retry-after:

{

Description: The recommended number of seconds to wait before calling the URI specified in Azure-AsyncOperation. ,

}

integer ,

}

$schema:

{

Description: Full backup operation ,

}

{

status:

{

Description: Status of the backup operation. ,

Enum:

{

InProgress: The operation is in progress. ,

Succeeded: The operation successfully completed. ,

Canceled: The operation was canceled. ,

Failed: The operation failed. ,

}

Required: False ,

}

enum ,

statusDetails:

{

Description: The status details of backup operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the full backup operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

startTime:

{

Description: The start time of the backup operation in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

endTime:

{

Description: The end time of the backup operation in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

jobId:

{

Description: Identifier for the full backup operation. ,

Required: False ,

}

string ,

azureStorageBlobContainerUri:

{

Description: The Azure blob storage container Uri which contains the full backup ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

PreFullRestoreOperation (new)

Description	: Pre-restore operation for checking whether the customer can perform a full restore operation.
Reference	: Link ¶

⚼ Request

PUT: /prerestore

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

preRestoreOperationParameters:

{

Description: Optional pre restore parameters to validate prior to performing a full restore operation. ,

Required: True ,

}

{

sasTokenParameters:

{

Description: A user-provided SAS token to an Azure blob storage container. ,

Required: False ,

}

{

storageResourceUri:

{

Description: Azure Blob storage container Uri ,

Required: True ,

}

string ,

token:

{

Description: The SAS token pointing to an Azure Blob storage container ,

Required: False ,

}

string ,

useManagedIdentity:

{

Required: False ,

}

boolean ,

}

folderToRestore:

{

Description: The Folder name of the blob where the previous successful full backup was stored ,

Required: False ,

}

string ,

}

⚐ Response (202)

{

$headers:

{

azure-asyncoperation:

{

Description: The URI to poll for completion status. ,

}

string ,

retry-after:

{

Description: The recommended number of seconds to wait before calling the URI specified in Azure-AsyncOperation. ,

}

integer ,

}

$schema:

{

Description: Restore operation ,

}

{

status:

{

Description: Status of the restore operation. ,

Enum:

{

InProgress: The operation is in progress. ,

Succeeded: The operation successfully completed. ,

Canceled: The operation was canceled. ,

Failed: The operation failed. ,

}

Required: False ,

}

enum ,

statusDetails:

{

Description: The status details of restore operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the restore operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

jobId:

{

Description: Identifier for the restore operation. ,

Required: False ,

}

string ,

startTime:

{

Description: The start time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

endTime:

{

Description: The end time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

FullRestoreOperation (new)

Description	: Restores all key materials using the SAS token pointing to a previously stored Azure Blob storage backup folder
Reference	: Link ¶

⚼ Request

PUT: /restore

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

restoreBlobDetails:

{

Description: The Azure blob SAS token pointing to a folder where the previous successful full backup was stored. ,

Required: True ,

}

{

sasTokenParameters:

{

Description: A user-provided SAS token to an Azure blob storage container. ,

Required: True ,

}

{

storageResourceUri:

{

Description: Azure Blob storage container Uri ,

Required: True ,

}

string ,

token:

{

Description: The SAS token pointing to an Azure Blob storage container ,

Required: False ,

}

string ,

useManagedIdentity:

{

Required: False ,

}

boolean ,

}

folderToRestore:

{

Description: The Folder name of the blob where the previous successful full backup was stored ,

Required: True ,

}

string ,

}

⚐ Response (202)

{

$headers:

{

azure-asyncoperation:

{

Description: The URI to poll for completion status. ,

}

string ,

retry-after:

{

Description: The recommended number of seconds to wait before calling the URI specified in Azure-AsyncOperation. ,

}

integer ,

}

$schema:

{

Description: Restore operation ,

}

{

status:

{

Description: Status of the restore operation. ,

Enum:

{

InProgress: The operation is in progress. ,

Succeeded: The operation successfully completed. ,

Canceled: The operation was canceled. ,

Failed: The operation failed. ,

}

Required: False ,

}

enum ,

statusDetails:

{

Description: The status details of restore operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the restore operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

jobId:

{

Description: Identifier for the restore operation. ,

Required: False ,

}

string ,

startTime:

{

Description: The start time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

endTime:

{

Description: The end time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

RestoreStatus (new)

Description	: Returns the status of restore operation
Reference	: Link ¶

⚼ Request

GET: /restore/{jobId}/pending

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

jobId:

{

Description: The Job Id returned part of the restore operation ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

status:

{

Description: Status of the restore operation. ,

Enum:

{

InProgress: The operation is in progress. ,

Succeeded: The operation successfully completed. ,

Canceled: The operation was canceled. ,

Failed: The operation failed. ,

}

Required: False ,

}

enum ,

statusDetails:

{

Description: The status details of restore operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the restore operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

jobId:

{

Description: Identifier for the restore operation. ,

Required: False ,

}

string ,

startTime:

{

Description: The start time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

endTime:

{

Description: The end time of the restore operation ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificates (new)

Description	: The GetCertificates operation returns the set of certificates resources in the specified key vault. This operation requires the certificates/list permission.
Reference	: Link ¶

⚼ Request

GET: /certificates

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

maxresults:

{

Description: Maximum number of results to return in a page. If not specified the service will return up to 25 results. ,

Format: int32 ,

Required: False ,

}

integer ,

includePending:

{

Description: Specifies whether to include certificates which are not completely provisioned. ,

Required: False ,

}

boolean ,

}

⚐ Response (200)

{

value:

{

Description: A response message containing a list of certificates in the key vault along with a link to the next page of certificates. ,

Required: False ,

}

[

{

id:

{

Description: Certificate identifier. ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Description: Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval. ,

Enum:

{

Purgeable: Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.) ,

Recoverable+Purgeable: Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered ,

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

Recoverable+ProtectedSubscription: Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered ,

CustomizedRecoverable+Purgeable: Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled. ,

CustomizedRecoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available. ,

CustomizedRecoverable+ProtectedSubscription: Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7 <= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled. ,

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

}

]

nextLink:

{

Description: The URL to get the next set of certificates. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

DeleteCertificate (new)

Description	: Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.
Reference	: Link ¶

⚼ Request

DELETE: /certificates/{certificate-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

recoveryId:

{

Description: The url of the recovery object, used to identify and recover the deleted certificate. ,

Required: False ,

}

string ,

scheduledPurgeDate:

{

Description: The time when the certificate is scheduled to be purged, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

deletedDate:

{

Description: The time when the certificate was deleted, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificate (new)

Description	: Gets information about a specific certificate. This operation requires the certificates/get permission.
Reference	: Link ¶

⚼ Request

GET: /certificates/{certificate-name}/{certificate-version}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate in the given vault. ,

Required: True ,

}

string ,

certificate-version:

{

Description: The version of the certificate. This URI fragment is optional. If not specified, the latest version of the certificate is returned. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

UpdateCertificate (new)

Description	: The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate's attributes. This operation requires the certificates/update permission.
Reference	: Link ¶

⚼ Request

PATCH: /certificates/{certificate-name}/{certificate-version}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate in the given key vault. ,

Required: True ,

}

string ,

certificate-version:

{

Description: The version of the certificate. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters for certificate update. ,

Required: True ,

}

{

policy:

{

Description: The management policy for the certificate. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

attributes:

{

Description: The attributes of the certificate (optional). ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

BackupCertificate (new)

Description	: Requests that a backup of the specified certificate be downloaded to the client. All versions of the certificate will be downloaded. This operation requires the certificates/backup permission.
Reference	: Link ¶

⚼ Request

POST: /certificates/{certificate-name}/backup

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

value:

{

Description: The backup blob containing the backed up certificate. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

CreateCertificate (new)

Description	: If this is the first version, the certificate resource is created. This operation requires the certificates/create permission.
Reference	: Link ¶

⚼ Request

POST: /certificates/{certificate-name}/create

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters to create a certificate. ,

Required: True ,

}

{

policy:

{

Description: The management policy for the certificate. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

attributes:

{

Description: The attributes of the certificate (optional). ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (202)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

csr:

{

Description: The certificate signing request (CSR) that is being used in the certificate operation. ,

Format: byte ,

Required: False ,

}

string ,

cancellation_requested:

{

Description: Indicates if cancellation was requested on the certificate operation. ,

Required: False ,

}

boolean ,

status:

{

Description: Status of the certificate operation. ,

Required: False ,

}

string ,

status_details:

{

Description: The status details of the certificate operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the certificate operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

target:

{

Description: Location which contains the result of the certificate operation. ,

Required: False ,

}

string ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

request_id:

{

Description: Identifier for the certificate operation. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

ImportCertificate (new)

Description	: Imports an existing valid certificate, containing a private key, into Azure Key Vault. This operation requires the certificates/import permission. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. Key Vault will only accept a key in PKCS#8 format.
Reference	: Link ¶

⚼ Request

POST: /certificates/{certificate-name}/import

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Required: True ,

}

string ,

parameters:

{

Description: The parameters to import the certificate. ,

Required: True ,

}

{

value:

{

Description: Base64 encoded representation of the certificate object to import. This certificate needs to contain the private key. ,

Required: True ,

}

string ,

pwd:

{

Description: If the private key in base64EncodedCertificate is encrypted, the password used for encryption. ,

Required: False ,

}

string ,

policy:

{

Description: The management policy for the certificate. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

attributes:

{

Description: The attributes of the certificate (optional). ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificateOperation (new)

Description	: Gets the creation operation associated with a specified certificate. This operation requires the certificates/get permission.
Reference	: Link ¶

⚼ Request

GET: /certificates/{certificate-name}/pending

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

csr:

{

Description: The certificate signing request (CSR) that is being used in the certificate operation. ,

Format: byte ,

Required: False ,

}

string ,

cancellation_requested:

{

Description: Indicates if cancellation was requested on the certificate operation. ,

Required: False ,

}

boolean ,

status:

{

Description: Status of the certificate operation. ,

Required: False ,

}

string ,

status_details:

{

Description: The status details of the certificate operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the certificate operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

target:

{

Description: Location which contains the result of the certificate operation. ,

Required: False ,

}

string ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

request_id:

{

Description: Identifier for the certificate operation. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

UpdateCertificateOperation (new)

Description	: Updates a certificate creation operation that is already in progress. This operation requires the certificates/update permission.
Reference	: Link ¶

⚼ Request

PATCH: /certificates/{certificate-name}/pending

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. ,

Required: True ,

}

string ,

certificateOperation:

{

Description: The certificate operation response. ,

Required: True ,

}

{

cancellation_requested:

{

Description: Indicates if cancellation was requested on the certificate operation. ,

Required: True ,

}

boolean ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

csr:

{

Description: The certificate signing request (CSR) that is being used in the certificate operation. ,

Format: byte ,

Required: False ,

}

string ,

cancellation_requested:

{

Description: Indicates if cancellation was requested on the certificate operation. ,

Required: False ,

}

boolean ,

status:

{

Description: Status of the certificate operation. ,

Required: False ,

}

string ,

status_details:

{

Description: The status details of the certificate operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the certificate operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

target:

{

Description: Location which contains the result of the certificate operation. ,

Required: False ,

}

string ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

request_id:

{

Description: Identifier for the certificate operation. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

DeleteCertificateOperation (new)

Description	: Deletes the creation operation for a specified certificate that is in the process of being created. The certificate is no longer created. This operation requires the certificates/update permission.
Reference	: Link ¶

⚼ Request

DELETE: /certificates/{certificate-name}/pending

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

csr:

{

Description: The certificate signing request (CSR) that is being used in the certificate operation. ,

Format: byte ,

Required: False ,

}

string ,

cancellation_requested:

{

Description: Indicates if cancellation was requested on the certificate operation. ,

Required: False ,

}

boolean ,

status:

{

Description: Status of the certificate operation. ,

Required: False ,

}

string ,

status_details:

{

Description: The status details of the certificate operation. ,

Required: False ,

}

string ,

error:

{

Description: Error encountered, if any, during the certificate operation. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

target:

{

Description: Location which contains the result of the certificate operation. ,

Required: False ,

}

string ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

request_id:

{

Description: Identifier for the certificate operation. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

MergeCertificate (new)

Description	: The MergeCertificate operation performs the merging of a certificate or certificate chain with a key pair currently available in the service. This operation requires the certificates/create permission.
Reference	: Link ¶

⚼ Request

POST: /certificates/{certificate-name}/pending/merge

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters to merge certificate. ,

Required: True ,

}

{

x5c:

{

Description: The certificate or the certificate chain to merge. ,

Required: True ,

}

[

string ,

]

attributes:

{

Description: The attributes of the certificate (optional). ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

}

⚐ Response (201)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificatePolicy (new)

Description	: The GetCertificatePolicy operation returns the specified certificate policy resources in the specified key vault. This operation requires the certificates/get permission.
Reference	: Link ¶

⚼ Request

GET: /certificates/{certificate-name}/policy

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate in a given key vault. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

UpdateCertificatePolicy (new)

Description	: Set specified members in the certificate policy. Leave others as null. This operation requires the certificates/update permission.
Reference	: Link ¶

⚼ Request

PATCH: /certificates/{certificate-name}/policy

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate in the given vault. ,

Required: True ,

}

string ,

certificatePolicy:

{

Description: The policy for the certificate. ,

Required: True ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificateVersions (new)

Description	: The GetCertificateVersions operation returns the versions of a certificate in the specified key vault. This operation requires the certificates/list permission.
Reference	: Link ¶

⚼ Request

GET: /certificates/{certificate-name}/versions

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate. ,

Required: True ,

}

string ,

maxresults:

{

Description: Maximum number of results to return in a page. If not specified the service will return up to 25 results. ,

Format: int32 ,

Required: False ,

}

integer ,

}

⚐ Response (200)

{

value:

{

Description: A response message containing a list of certificates in the key vault along with a link to the next page of certificates. ,

Required: False ,

}

[

{

id:

{

Description: Certificate identifier. ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

}

]

nextLink:

{

Description: The URL to get the next set of certificates. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificateContacts (new)

Description	: The GetCertificateContacts operation returns the set of certificate contact resources in the specified key vault. This operation requires the certificates/managecontacts permission.
Reference	: Link ¶

⚼ Request

GET: /certificates/contacts

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: Identifier for the contacts collection. ,

Required: False ,

}

string ,

contacts:

{

Description: The contact list for the vault certificates. ,

Required: False ,

}

[

{

email:

{

Description: Email address. ,

Required: False ,

}

string ,

name:

{

Description: Name. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

SetCertificateContacts (new)

Description	: Sets the certificate contacts for the specified key vault. This operation requires the certificates/managecontacts permission.
Reference	: Link ¶

⚼ Request

PUT: /certificates/contacts

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

contacts:

{

Description: The contacts for the key vault certificate. ,

Required: True ,

}

{

id:

{

Description: Identifier for the contacts collection. ,

Required: False ,

}

string ,

contacts:

{

Description: The contact list for the vault certificates. ,

Required: False ,

}

[

{

email:

{

Description: Email address. ,

Required: False ,

}

string ,

name:

{

Description: Name. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

⚐ Response (200)

{

id:

{

Description: Identifier for the contacts collection. ,

Required: False ,

}

string ,

contacts:

{

Description: The contact list for the vault certificates. ,

Required: False ,

}

[

{

email:

{

Description: Email address. ,

Required: False ,

}

string ,

name:

{

Description: Name. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

DeleteCertificateContacts (new)

Description	: Deletes the certificate contacts for a specified key vault certificate. This operation requires the certificates/managecontacts permission.
Reference	: Link ¶

⚼ Request

DELETE: /certificates/contacts

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: Identifier for the contacts collection. ,

Required: False ,

}

string ,

contacts:

{

Description: The contact list for the vault certificates. ,

Required: False ,

}

[

{

email:

{

Description: Email address. ,

Required: False ,

}

string ,

name:

{

Description: Name. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificateIssuers (new)

Description	: The GetCertificateIssuers operation returns the set of certificate issuer resources in the specified key vault. This operation requires the certificates/manageissuers/getissuers permission.
Reference	: Link ¶

⚼ Request

GET: /certificates/issuers

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

maxresults:

{

Description: Maximum number of results to return in a page. If not specified the service will return up to 25 results. ,

Format: int32 ,

Required: False ,

}

integer ,

}

⚐ Response (200)

{

value:

{

Description: A response message containing a list of certificate issuers in the key vault along with a link to the next page of certificate issuers. ,

Required: False ,

}

[

{

id:

{

Description: Certificate Identifier. ,

Required: False ,

}

string ,

provider:

{

Description: The issuer provider. ,

Required: False ,

}

string ,

}

]

nextLink:

{

Description: The URL to get the next set of certificate issuers. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetCertificateIssuer (new)

Description	: The GetCertificateIssuer operation returns the specified certificate issuer resources in the specified key vault. This operation requires the certificates/manageissuers/getissuers permission.
Reference	: Link ¶

⚼ Request

GET: /certificates/issuers/{issuer-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

issuer-name:

{

Description: The name of the issuer. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: Identifier for the issuer object. ,

Required: False ,

}

string ,

provider:

{

Description: The issuer provider. ,

Required: False ,

}

string ,

credentials:

{

Description: The credentials to be used for the issuer. ,

Required: False ,

}

{

account_id:

{

Description: The user name/account name/account id. ,

Required: False ,

}

string ,

pwd:

{

Description: The password/secret/account key. ,

Required: False ,

}

string ,

}

org_details:

{

Description: Details of the organization as provided to the issuer. ,

Required: False ,

}

{

id:

{

Description: Id of the organization. ,

Required: False ,

}

string ,

admin_details:

{

Description: Details of the organization administrator. ,

Required: False ,

}

[

{

first_name:

{

Description: First name. ,

Required: False ,

}

string ,

last_name:

{

Description: Last name. ,

Required: False ,

}

string ,

email:

{

Description: Email address. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

attributes:

{

Description: Attributes of the issuer object. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the issuer is enabled. ,

Required: False ,

}

boolean ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

SetCertificateIssuer (new)

Description	: The SetCertificateIssuer operation adds or updates the specified certificate issuer. This operation requires the certificates/setissuers permission.
Reference	: Link ¶

⚼ Request

PUT: /certificates/issuers/{issuer-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

issuer-name:

{

Description: The name of the issuer. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. ,

Required: True ,

}

string ,

parameter:

{

Description: Certificate issuer set parameter. ,

Required: True ,

}

{

provider:

{

Description: The issuer provider. ,

Required: True ,

}

string ,

credentials:

{

Description: The credentials to be used for the issuer. ,

Required: False ,

}

{

account_id:

{

Description: The user name/account name/account id. ,

Required: False ,

}

string ,

pwd:

{

Description: The password/secret/account key. ,

Required: False ,

}

string ,

}

org_details:

{

Description: Details of the organization as provided to the issuer. ,

Required: False ,

}

{

id:

{

Description: Id of the organization. ,

Required: False ,

}

string ,

admin_details:

{

Description: Details of the organization administrator. ,

Required: False ,

}

[

{

first_name:

{

Description: First name. ,

Required: False ,

}

string ,

last_name:

{

Description: Last name. ,

Required: False ,

}

string ,

email:

{

Description: Email address. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

attributes:

{

Description: Attributes of the issuer object. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the issuer is enabled. ,

Required: False ,

}

boolean ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (200)

{

id:

{

Description: Identifier for the issuer object. ,

Required: False ,

}

string ,

provider:

{

Description: The issuer provider. ,

Required: False ,

}

string ,

credentials:

{

Description: The credentials to be used for the issuer. ,

Required: False ,

}

{

account_id:

{

Description: The user name/account name/account id. ,

Required: False ,

}

string ,

pwd:

{

Description: The password/secret/account key. ,

Required: False ,

}

string ,

}

org_details:

{

Description: Details of the organization as provided to the issuer. ,

Required: False ,

}

{

id:

{

Description: Id of the organization. ,

Required: False ,

}

string ,

admin_details:

{

Description: Details of the organization administrator. ,

Required: False ,

}

[

{

first_name:

{

Description: First name. ,

Required: False ,

}

string ,

last_name:

{

Description: Last name. ,

Required: False ,

}

string ,

email:

{

Description: Email address. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

attributes:

{

Description: Attributes of the issuer object. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the issuer is enabled. ,

Required: False ,

}

boolean ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

UpdateCertificateIssuer (new)

Description	: The UpdateCertificateIssuer operation performs an update on the specified certificate issuer entity. This operation requires the certificates/setissuers permission.
Reference	: Link ¶

⚼ Request

PATCH: /certificates/issuers/{issuer-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

issuer-name:

{

Description: The name of the issuer. ,

Required: True ,

}

string ,

parameter:

{

Description: Certificate issuer update parameter. ,

Required: True ,

}

{

provider:

{

Description: The issuer provider. ,

Required: False ,

}

string ,

credentials:

{

Description: The credentials to be used for the issuer. ,

Required: False ,

}

{

account_id:

{

Description: The user name/account name/account id. ,

Required: False ,

}

string ,

pwd:

{

Description: The password/secret/account key. ,

Required: False ,

}

string ,

}

org_details:

{

Description: Details of the organization as provided to the issuer. ,

Required: False ,

}

{

id:

{

Description: Id of the organization. ,

Required: False ,

}

string ,

admin_details:

{

Description: Details of the organization administrator. ,

Required: False ,

}

[

{

first_name:

{

Description: First name. ,

Required: False ,

}

string ,

last_name:

{

Description: Last name. ,

Required: False ,

}

string ,

email:

{

Description: Email address. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

attributes:

{

Description: Attributes of the issuer object. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the issuer is enabled. ,

Required: False ,

}

boolean ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (200)

{

id:

{

Description: Identifier for the issuer object. ,

Required: False ,

}

string ,

provider:

{

Description: The issuer provider. ,

Required: False ,

}

string ,

credentials:

{

Description: The credentials to be used for the issuer. ,

Required: False ,

}

{

account_id:

{

Description: The user name/account name/account id. ,

Required: False ,

}

string ,

pwd:

{

Description: The password/secret/account key. ,

Required: False ,

}

string ,

}

org_details:

{

Description: Details of the organization as provided to the issuer. ,

Required: False ,

}

{

id:

{

Description: Id of the organization. ,

Required: False ,

}

string ,

admin_details:

{

Description: Details of the organization administrator. ,

Required: False ,

}

[

{

first_name:

{

Description: First name. ,

Required: False ,

}

string ,

last_name:

{

Description: Last name. ,

Required: False ,

}

string ,

email:

{

Description: Email address. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

attributes:

{

Description: Attributes of the issuer object. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the issuer is enabled. ,

Required: False ,

}

boolean ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

DeleteCertificateIssuer (new)

Description	: The DeleteCertificateIssuer operation permanently removes the specified certificate issuer from the vault. This operation requires the certificates/manageissuers/deleteissuers permission.
Reference	: Link ¶

⚼ Request

DELETE: /certificates/issuers/{issuer-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

issuer-name:

{

Description: The name of the issuer. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: Identifier for the issuer object. ,

Required: False ,

}

string ,

provider:

{

Description: The issuer provider. ,

Required: False ,

}

string ,

credentials:

{

Description: The credentials to be used for the issuer. ,

Required: False ,

}

{

account_id:

{

Description: The user name/account name/account id. ,

Required: False ,

}

string ,

pwd:

{

Description: The password/secret/account key. ,

Required: False ,

}

string ,

}

org_details:

{

Description: Details of the organization as provided to the issuer. ,

Required: False ,

}

{

id:

{

Description: Id of the organization. ,

Required: False ,

}

string ,

admin_details:

{

Description: Details of the organization administrator. ,

Required: False ,

}

[

{

first_name:

{

Description: First name. ,

Required: False ,

}

string ,

last_name:

{

Description: Last name. ,

Required: False ,

}

string ,

email:

{

Description: Email address. ,

Required: False ,

}

string ,

phone:

{

Description: Phone number. ,

Required: False ,

}

string ,

}

]

}

attributes:

{

Description: Attributes of the issuer object. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the issuer is enabled. ,

Required: False ,

}

boolean ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

RestoreCertificate (new)

Description	: Restores a backed up certificate, and all its versions, to a vault. This operation requires the certificates/restore permission.
Reference	: Link ¶

⚼ Request

POST: /certificates/restore

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters to restore the certificate. ,

Required: True ,

}

{

value:

{

Description: The backup blob associated with a certificate bundle. ,

Format: base64url ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetDeletedCertificates (new)

Description	: The GetDeletedCertificates operation retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.
Reference	: Link ¶

⚼ Request

GET: /deletedcertificates

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

maxresults:

{

Description: Maximum number of results to return in a page. If not specified the service will return up to 25 results. ,

Format: int32 ,

Required: False ,

}

integer ,

includePending:

{

Description: Specifies whether to include certificates which are not completely provisioned. ,

Required: False ,

}

boolean ,

}

⚐ Response (200)

{

value:

{

Description: A response message containing a list of deleted certificates in the vault along with a link to the next page of deleted certificates. ,

Required: False ,

}

[

{

id:

{

Description: Certificate identifier. ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

recoveryId:

{

Description: The url of the recovery object, used to identify and recover the deleted certificate. ,

Required: False ,

}

string ,

scheduledPurgeDate:

{

Description: The time when the certificate is scheduled to be purged, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

deletedDate:

{

Description: The time when the certificate was deleted, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

}

]

nextLink:

{

Description: The URL to get the next set of deleted certificates. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetDeletedCertificate (new)

Description	: The GetDeletedCertificate operation retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion and the current deletion recovery level. This operation requires the certificates/get permission.
Reference	: Link ¶

⚼ Request

GET: /deletedcertificates/{certificate-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

recoveryId:

{

Description: The url of the recovery object, used to identify and recover the deleted certificate. ,

Required: False ,

}

string ,

scheduledPurgeDate:

{

Description: The time when the certificate is scheduled to be purged, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

deletedDate:

{

Description: The time when the certificate was deleted, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

PurgeDeletedCertificate (new)

Description	: The PurgeDeletedCertificate operation performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specify 'Purgeable'. This operation requires the certificate/purge permission.
Reference	: Link ¶

⚼ Request

DELETE: /deletedcertificates/{certificate-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the certificate ,

Required: True ,

}

string ,

}

⚐ Response (204)

{}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

RecoverDeletedCertificate (new)

Description	: The RecoverDeletedCertificate operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate's attributes). This operation requires the certificates/recover permission.
Reference	: Link ¶

⚼ Request

POST: /deletedcertificates/{certificate-name}/recover

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

certificate-name:

{

Description: The name of the deleted certificate ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

kid:

{

Description: The key id. ,

Required: False ,

}

string ,

sid:

{

Description: The secret id. ,

Required: False ,

}

string ,

x5t:

{

Description: Thumbprint of the certificate. ,

Format: base64url ,

Required: False ,

}

string ,

policy:

{

Description: The management policy. ,

Required: False ,

}

{

id:

{

Description: The certificate id. ,

Required: False ,

}

string ,

key_props:

{

Description: Properties of the key backing a certificate. ,

Required: False ,

}

{

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

kty:

{

Description: The type of key pair to be used for the certificate. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is not exportable from the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447). ,

RSA-HSM: RSA with a private key which is not exportable from the HSM. ,

oct: Octet sequence (used to represent symmetric keys). ,

oct-HSM: Octet sequence with a private key which is not exportable from the HSM. ,

}

Required: False ,

}

enum ,

key_size:

{

Description: The key size in bits. For example: 2048, 3072, or 4096 for RSA. ,

Format: int32 ,

Required: False ,

}

integer ,

reuse_key:

{

Description: Indicates if the same key pair will be used on certificate renewal. ,

Required: False ,

}

boolean ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

}

secret_props:

{

Description: Properties of the secret backing a certificate. ,

Required: False ,

}

{

contentType:

{

Description: The media type (MIME type). ,

Required: False ,

}

string ,

}

x509_props:

{

Description: Properties of the X509 component of a certificate. ,

Required: False ,

}

{

subject:

{

Description: The subject name. Should be a valid X509 distinguished Name. ,

Required: False ,

}

string ,

ekus:

{

Description: The enhanced key usage. ,

Required: False ,

}

[

string ,

]

sans:

{

Description: The subject alternative names. ,

Required: False ,

}

{

emails:

{

Description: Email addresses. ,

Required: False ,

}

[

string ,

]

dns_names:

{

Description: Domain names. ,

Required: False ,

}

[

string ,

]

upns:

{

Description: User principal names. ,

Required: False ,

}

[

string ,

]

}

key_usage:

{

Description: Defines how the certificate's key may be used. ,

Required: False ,

}

[

string ,

]

validity_months:

{

Description: The duration that the certificate is valid in months. ,

Format: int32 ,

Required: False ,

}

integer ,

}

lifetime_actions:

{

Description: Actions that will be performed by Key Vault over the lifetime of a certificate. ,

Required: False ,

}

[

{

trigger:

{

Description: The condition that will execute the action. ,

Required: False ,

}

{

lifetime_percentage:

{

Description: Percentage of lifetime at which to trigger. Value should be between 1 and 99. ,

Format: int32 ,

Required: False ,

}

integer ,

days_before_expiry:

{

Description: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). ,

Format: int32 ,

Required: False ,

}

integer ,

}

action:

{

Description: The action that will be executed. ,

Required: False ,

}

{

action_type:

{

Description: The type of the action. ,

Enum:

{

EmailContacts: A certificate policy that will email certificate contacts. ,

AutoRenew: A certificate policy that will auto-renew a certificate. ,

}

Required: False ,

}

enum ,

}

]

issuer:

{

Description: Parameters for the issuer of the X509 component of a certificate. ,

Required: False ,

}

{

name:

{

Description: Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. ,

Required: False ,

}

string ,

cty:

{

Description: Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' ,

Required: False ,

}

string ,

cert_transparency:

{

Description: Indicates if the certificates generated under this policy should be published to certificate transparency logs. ,

Required: False ,

}

boolean ,

}

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

cer:

{

Description: CER contents of x509 certificate. ,

Format: byte ,

Required: False ,

}

string ,

contentType:

{

Description: The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12', ,

Required: False ,

}

string ,

attributes:

{

Description: The certificate attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

}

Required: False ,

}

enum ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs ,

Required: False ,

}

object ,

preserveCertOrder:

{

Description: Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. ,

Required: False ,

}

boolean ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetDeletedKeys (new)

Description

: Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a deleted key. This operation includes deletion-specific information. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/list permission.

Reference

: Link ¶

⚼ Request

GET: /deletedkeys

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

maxresults:

{

Description: Maximum number of results to return in a page. If not specified the service will return up to 25 results. ,

Format: int32 ,

Required: False ,

}

integer ,

}

⚐ Response (200)

{

value:

{

Description: A response message containing a list of deleted keys in the key vault along with a link to the next page of deleted keys. ,

Required: False ,

}

[

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Description: Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval. ,

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

recoveryId:

{

Description: The url of the recovery object, used to identify and recover the deleted key. ,

Required: False ,

}

string ,

scheduledPurgeDate:

{

Description: The time when the key is scheduled to be purged, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

deletedDate:

{

Description: The time when the key was deleted, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

}

]

nextLink:

{

Description: The URL to get the next set of deleted keys. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetDeletedKey (new)

Description	: The Get Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/get permission.
Reference	: Link ¶

⚼ Request

GET: /deletedkeys/{key-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

key:

{

Description: The Json web key. ,

Required: False ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

recoveryId:

{

Description: The url of the recovery object, used to identify and recover the deleted key. ,

Required: False ,

}

string ,

scheduledPurgeDate:

{

Description: The time when the key is scheduled to be purged, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

deletedDate:

{

Description: The time when the key was deleted, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

PurgeDeletedKey (new)

Description	: The Purge Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/purge permission.
Reference	: Link ¶

⚼ Request

DELETE: /deletedkeys/{key-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key ,

Required: True ,

}

string ,

}

⚐ Response (204)

{}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

RecoverDeletedKey (new)

Description	: The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled vaults. It recovers the deleted key back to its latest version under /keys. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission.
Reference	: Link ¶

⚼ Request

POST: /deletedkeys/{key-name}/recover

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the deleted key. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

key:

{

Description: The Json web key. ,

Required: False ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetKeys (new)

Description	: Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission.
Reference	: Link ¶

⚼ Request

GET: /keys

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

maxresults:

{

Description: Maximum number of results to return in a page. If not specified the service will return up to 25 results. ,

Format: int32 ,

Required: False ,

}

integer ,

}

⚐ Response (200)

{

value:

{

Description: A response message containing a list of keys in the key vault along with a link to the next page of keys. ,

Required: False ,

}

[

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

}

]

nextLink:

{

Description: The URL to get the next set of keys. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

ImportKey (new)

Description	: The import key operation may be used to import any key type into an Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.
Reference	: Link ¶

⚼ Request

PUT: /keys/{key-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters to import a key. ,

Required: True ,

}

{

Hsm:

{

Description: Whether to import as a hardware key (HSM) or software key. ,

Required: False ,

}

boolean ,

key:

{

Description: The Json web key ,

Required: True ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (200)

{

key:

{

Description: The Json web key. ,

Required: False ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

DeleteKey (new)

Description	: The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.
Reference	: Link ¶

⚼ Request

DELETE: /keys/{key-name}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key to delete. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

key:

{

Description: The Json web key. ,

Required: False ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

recoveryId:

{

Description: The url of the recovery object, used to identify and recover the deleted key. ,

Required: False ,

}

string ,

scheduledPurgeDate:

{

Description: The time when the key is scheduled to be purged, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

deletedDate:

{

Description: The time when the key was deleted, in UTC ,

Format: unixtime ,

Required: False ,

}

integer ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetKey (new)

Description	: The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission.
Reference	: Link ¶

⚼ Request

GET: /keys/{key-name}/{key-version}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key to get. ,

Required: True ,

}

string ,

key-version:

{

Description: Adding the version parameter retrieves a specific version of a key. This URI fragment is optional. If not specified, the latest version of the key is returned. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

key:

{

Description: The Json web key. ,

Required: False ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

UpdateKey (new)

Description	: In order to perform this operation, the key must already exist in the Key Vault. Note: The cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission.
Reference	: Link ¶

⚼ Request

PATCH: /keys/{key-name}/{key-version}

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of key to update. ,

Required: True ,

}

string ,

key-version:

{

Description: The version of the key to update. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters of the key to update. ,

Required: True ,

}

{

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

attributes:

{

Description: The attributes of a key managed by the key vault service. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (200)

{

key:

{

Description: The Json web key. ,

Required: False ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

GetKeyAttestation (new)

Description	: The get key attestation operation returns the key along with its attestation blob. This operation requires the keys/get permission.
Reference	: Link ¶

⚼ Request

GET: /keys/{key-name}/{key-version}/attestation

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key to retrieve attestation for. ,

Required: True ,

}

string ,

key-version:

{

Description: Adding the version parameter retrieves attestation blob for specific version of a key. This URI fragment is optional. If not specified, the latest version of the key attestation blob is returned. ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

key:

{

Description: The Json web key. ,

Required: False ,

}

{

kid:

{

Description: Key identifier. ,

Required: False ,

}

string ,

kty:

{

Description: JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. ,

Enum:

{

EC: Elliptic Curve. ,

EC-HSM: Elliptic Curve with a private key which is stored in the HSM. ,

RSA: RSA (https://tools.ietf.org/html/rfc3447) ,

RSA-HSM: RSA with a private key which is stored in the HSM. ,

oct: Octet sequence (used to represent symmetric keys) ,

oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM. ,

}

Required: False ,

}

enum ,

key_ops:

{

Description: Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. ,

Required: False ,

}

[

string ,

]

{

Description: RSA modulus. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA public exponent. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA private exponent, or the D component of an EC private key. ,

Format: base64url ,

Required: False ,

}

string ,

dp:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

dq:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

qi:

{

Description: RSA private key parameter. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: RSA secret prime, with p < q. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Symmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

key_hsm:

{

Description: Protected Key, used with 'Bring Your Own Key'. ,

Format: base64url ,

Required: False ,

}

string ,

crv:

{

Description: Elliptic curve name. For valid values, see JsonWebKeyCurveName. ,

Enum:

{

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. ,

P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. ,

P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. ,

P-256K: The SECG SECP256K1 elliptic curve. ,

}

Required: False ,

}

enum ,

{

Description: X component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

{

Description: Y component of an EC public key. ,

Format: base64url ,

Required: False ,

}

string ,

}

attributes:

{

Description: The key management attributes. ,

Required: False ,

}

{

enabled:

{

Description: Determines whether the object is enabled. ,

Required: False ,

}

boolean ,

nbf:

{

Description: Not before date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

exp:

{

Description: Expiry date in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

created:

{

Description: Creation time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

updated:

{

Description: Last updated time in UTC. ,

Format: unixtime ,

Required: False ,

}

integer ,

recoverableDays:

{

Description: softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. ,

Format: int32 ,

Required: False ,

}

integer ,

recoveryLevel:

{

Enum:

{

Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered ,

}

Required: False ,

}

enum ,

exportable:

{

Description: Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. ,

Required: False ,

}

boolean ,

hsmPlatform:

{

Description: The underlying HSM Platform. ,

Required: False ,

}

string ,

attestation:

{

Description: The key or key version attestation information. ,

Required: False ,

}

{

certificatePemFile:

{

Description: A base64url-encoded string containing certificates in PEM format, used for attestation validation. ,

Format: base64url ,

Required: False ,

}

string ,

privateKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a private key. ,

Format: base64url ,

Required: False ,

}

string ,

publicKeyAttestation:

{

Description: The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. ,

Format: base64url ,

Required: False ,

}

string ,

version:

{

Description: The version of the attestation. ,

Required: False ,

}

string ,

}

tags:

{

Description: Application specific metadata in the form of key-value pairs. ,

Required: False ,

}

object ,

managed:

{

Description: True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. ,

Required: False ,

}

boolean ,

release_policy:

{

Description: The policy rules under which the key can be exported. ,

Required: False ,

}

{

contentType:

{

Description: Content type and version of key release policy ,

Required: False ,

}

string ,

immutable:

{

Description: Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. ,

Required: False ,

}

boolean ,

data:

{

Description: Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

decrypt (new)

Description

: The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.

Reference

: Link ¶

⚼ Request

POST: /keys/{key-name}/{key-version}/decrypt

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key. ,

Required: True ,

}

string ,

key-version:

{

Description: The version of the key. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters for the decryption operation. ,

Required: True ,

}

{

alg:

{

Description: algorithm identifier ,

Enum:

{

RSA-OAEP: [Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems. ,

RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256. ,

RSA1_5: [Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption. ,

A128GCM: 128-bit AES-GCM. ,

A192GCM: 192-bit AES-GCM. ,

A256GCM: 256-bit AES-GCM. ,

A128KW: 128-bit AES key wrap. ,

A192KW: 192-bit AES key wrap. ,

A256KW: 256-bit AES key wrap. ,

A128CBC: 128-bit AES-CBC. ,

A192CBC: 192-bit AES-CBC. ,

A256CBC: 256-bit AES-CBC. ,

A128CBCPAD: 128-bit AES-CBC with PKCS padding. ,

A192CBCPAD: 192-bit AES-CBC with PKCS padding. ,

A256CBCPAD: 256-bit AES-CBC with PKCS padding. ,

CKM_AES_KEY_WRAP: CKM AES key wrap. ,

CKM_AES_KEY_WRAP_PAD: CKM AES key wrap with padding. ,

}

Required: True ,

}

enum ,

value:

{

Description: The value to operate on. ,

Format: base64url ,

Required: True ,

}

string ,

iv:

{

Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

aad:

{

Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

tag:

{

Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (200)

{

kid:

{

Description: Key identifier ,

Required: False ,

}

string ,

value:

{

Description: The result of the operation. ,

Format: base64url ,

Required: False ,

}

string ,

iv:

{

Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

tag:

{

Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,

Format: base64url ,

Required: False ,

}

string ,

aad:

{

Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

encrypt (new)

Description

: The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used. The ENCRYPT operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission.

Reference

: Link ¶

⚼ Request

POST: /keys/{key-name}/{key-version}/encrypt

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key. ,

Required: True ,

}

string ,

key-version:

{

Description: The version of the key. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters for the encryption operation. ,

Required: True ,

}

{

alg:

{

Description: algorithm identifier ,

Enum:

{

RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256. ,

A128GCM: 128-bit AES-GCM. ,

A192GCM: 192-bit AES-GCM. ,

A256GCM: 256-bit AES-GCM. ,

A128KW: 128-bit AES key wrap. ,

A192KW: 192-bit AES key wrap. ,

A256KW: 256-bit AES key wrap. ,

A128CBC: 128-bit AES-CBC. ,

A192CBC: 192-bit AES-CBC. ,

A256CBC: 256-bit AES-CBC. ,

A128CBCPAD: 128-bit AES-CBC with PKCS padding. ,

A192CBCPAD: 192-bit AES-CBC with PKCS padding. ,

A256CBCPAD: 256-bit AES-CBC with PKCS padding. ,

CKM_AES_KEY_WRAP: CKM AES key wrap. ,

CKM_AES_KEY_WRAP_PAD: CKM AES key wrap with padding. ,

}

Required: True ,

}

enum ,

value:

{

Description: The value to operate on. ,

Format: base64url ,

Required: True ,

}

string ,

iv:

{

Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

aad:

{

Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

tag:

{

Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (200)

{

kid:

{

Description: Key identifier ,

Required: False ,

}

string ,

value:

{

Description: The result of the operation. ,

Format: base64url ,

Required: False ,

}

string ,

iv:

{

Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

tag:

{

Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,

Format: base64url ,

Required: False ,

}

string ,

aad:

{

Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

release (new)

Description	: The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission.
Reference	: Link ¶

⚼ Request

POST: /keys/{key-name}/{key-version}/release

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key to get. ,

Required: True ,

}

string ,

key-version:

{

Description: Adding the version parameter retrieves a specific version of a key. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters for the key release operation. ,

Required: True ,

}

{

target:

{

Description: The attestation assertion for the target of the key release. ,

Required: True ,

}

string ,

nonce:

{

Description: A client provided nonce for freshness. ,

Required: False ,

}

string ,

enc:

{

Description: The encryption algorithm to use to protected the exported key material ,

Enum:

{

CKM_RSA_AES_KEY_WRAP: The CKM_RSA_AES_KEY_WRAP key wrap mechanism. ,

RSA_AES_KEY_WRAP_256: The RSA_AES_KEY_WRAP_256 key wrap mechanism. ,

RSA_AES_KEY_WRAP_384: The RSA_AES_KEY_WRAP_384 key wrap mechanism. ,

}

Required: False ,

}

enum ,

}

⚐ Response (200)

{

value:

{

Description: A signed object containing the released key. ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

sign (new)

Description	: The SIGN operation is applicable to asymmetric and symmetric keys stored in Azure Key Vault since this operation uses the private portion of the key. This operation requires the keys/sign permission.
Reference	: Link ¶

⚼ Request

POST: /keys/{key-name}/{key-version}/sign

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key. ,

Required: True ,

}

string ,

key-version:

{

Description: The version of the key. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters for the signing operation. ,

Required: True ,

}

{

alg:

{

Description: The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. ,

Enum:

{

PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in https://tools.ietf.org/html/rfc7518 ,

PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in https://tools.ietf.org/html/rfc7518 ,

PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in https://tools.ietf.org/html/rfc7518 ,

RS256: RSASSA-PKCS1-v1_5 using SHA-256, as described in https://tools.ietf.org/html/rfc7518 ,

RS384: RSASSA-PKCS1-v1_5 using SHA-384, as described in https://tools.ietf.org/html/rfc7518 ,

RS512: RSASSA-PKCS1-v1_5 using SHA-512, as described in https://tools.ietf.org/html/rfc7518 ,

HS256: HMAC using SHA-256, as described in https://tools.ietf.org/html/rfc7518 ,

HS384: HMAC using SHA-384, as described in https://tools.ietf.org/html/rfc7518 ,

HS512: HMAC using SHA-512, as described in https://tools.ietf.org/html/rfc7518 ,

RSNULL: Reserved ,

ES256: ECDSA using P-256 and SHA-256, as described in https://tools.ietf.org/html/rfc7518. ,

ES384: ECDSA using P-384 and SHA-384, as described in https://tools.ietf.org/html/rfc7518 ,

ES512: ECDSA using P-521 and SHA-512, as described in https://tools.ietf.org/html/rfc7518 ,

ES256K: ECDSA using P-256K and SHA-256, as described in https://tools.ietf.org/html/rfc7518 ,

}

Required: True ,

}

enum ,

value:

{

Description: The value to operate on. ,

Format: base64url ,

Required: True ,

}

string ,

}

⚐ Response (200)

{

kid:

{

Description: Key identifier ,

Required: False ,

}

string ,

value:

{

Description: The result of the operation. ,

Format: base64url ,

Required: False ,

}

string ,

iv:

{

Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

tag:

{

Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,

Format: base64url ,

Required: False ,

}

string ,

aad:

{

Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

unwrapKey (new)

Description	: The UNWRAP operation supports decryption of a symmetric key using the target key encryption key. This operation is the reverse of the WRAP operation. The UNWRAP operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission.
Reference	: Link ¶

⚼ Request

POST: /keys/{key-name}/{key-version}/unwrapkey

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key. ,

Required: True ,

}

string ,

key-version:

{

Description: The version of the key. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters for the key operation. ,

Required: True ,

}

{

alg:

{

Description: algorithm identifier ,

Enum:

{

RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256. ,

A128GCM: 128-bit AES-GCM. ,

A192GCM: 192-bit AES-GCM. ,

A256GCM: 256-bit AES-GCM. ,

A128KW: 128-bit AES key wrap. ,

A192KW: 192-bit AES key wrap. ,

A256KW: 256-bit AES key wrap. ,

A128CBC: 128-bit AES-CBC. ,

A192CBC: 192-bit AES-CBC. ,

A256CBC: 256-bit AES-CBC. ,

A128CBCPAD: 128-bit AES-CBC with PKCS padding. ,

A192CBCPAD: 192-bit AES-CBC with PKCS padding. ,

A256CBCPAD: 256-bit AES-CBC with PKCS padding. ,

CKM_AES_KEY_WRAP: CKM AES key wrap. ,

CKM_AES_KEY_WRAP_PAD: CKM AES key wrap with padding. ,

}

Required: True ,

}

enum ,

value:

{

Description: The value to operate on. ,

Format: base64url ,

Required: True ,

}

string ,

iv:

{

Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

aad:

{

Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

tag:

{

Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (200)

{

kid:

{

Description: Key identifier ,

Required: False ,

}

string ,

value:

{

Description: The result of the operation. ,

Format: base64url ,

Required: False ,

}

string ,

iv:

{

Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

tag:

{

Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,

Format: base64url ,

Required: False ,

}

string ,

aad:

{

Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,

Format: base64url ,

Required: False ,

}

string ,

}

⚐ Response (default)

{

error:

{

Description: The key vault server error. ,

Required: False ,

}

{

code:

{

Description: The error code. ,

Required: False ,

}

string ,

message:

{

Description: The error message. ,

Required: False ,

}

string ,

innererror:

{

Required: False ,

}

string ,

}

verify (new)

Description

: The VERIFY operation is applicable to symmetric keys stored in Azure Key Vault. VERIFY is not strictly necessary for asymmetric keys stored in Azure Key Vault since signature verification can be performed using the public portion of the key but this operation is supported as a convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission.

Reference

: Link ¶

⚼ Request

POST: /keys/{key-name}/{key-version}/verify

{

api-version:

{

Description: The API version to use for this operation. ,

Required: True ,

}

string ,

key-name:

{

Description: The name of the key. ,

Required: True ,

}

string ,

key-version:

{

Description: The version of the key. ,

Required: True ,

}

string ,

parameters:

{

Description: The parameters for verify operations. ,

Required: True ,

}

{

alg:

{

Description: The signing/verification algorithm. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. ,