public void RetrieveCertificate() { #region Snippet:RetrieveCertificate KeyVaultCertificateWithPolicy certificateWithPolicy = client.GetCertificate("MyCertificate"); #endregion #region Snippet:GetCertificate KeyVaultCertificate certificate = client.GetCertificateVersion(certificateWithPolicy.Name, certificateWithPolicy.Properties.Version); #endregion }
/// <summary> /// Helper method to get a certificate /// /// Source https://github.com/heaths/azsdk-sample-getcert/blob/master/Program.cs /// </summary> /// <param name="certificateClient"></param> /// <param name="secretClient"></param> /// <param name="certificateName"></param> /// <returns></returns> private static X509Certificate2 GetCertificateAsync(CertificateClient certificateClient, SecretClient secretClient, string certificateName) { KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName); // Return a certificate with only the public key if the private key is not exportable. if (certificate.Policy?.Exportable != true) { return(new X509Certificate2(certificate.Cer)); } // Parse the secret ID and version to retrieve the private key. string[] segments = certificate.SecretId.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries); if (segments.Length != 3) { throw new InvalidOperationException($"Number of segments is incorrect: {segments.Length}, URI: {certificate.SecretId}"); } string secretName = segments[1]; string secretVersion = segments[2]; KeyVaultSecret secret = secretClient.GetSecret(secretName, secretVersion); // For PEM, you'll need to extract the base64-encoded message body. // .NET 5.0 preview introduces the System.Security.Cryptography.PemEncoding class to make this easier. if ("application/x-pkcs12".Equals(secret.Properties.ContentType, StringComparison.InvariantCultureIgnoreCase)) { byte[] pfx = Convert.FromBase64String(secret.Value); return(new X509Certificate2(pfx)); } throw new NotSupportedException($"Only PKCS#12 is supported. Found Content-Type: {secret.Properties.ContentType}"); }
public void CertificateTest() { var keyClient = new CertificateClient(new Uri("{{your keyvault uri}}"), new DefaultAzureCredential()); Response <KeyVaultCertificateWithPolicy> response = keyClient.GetCertificate("SignInCredentialsCert"); Assert.NotNull(response.Value.Properties.Version); }
public byte[] GetCertificateData(string keyVaultUrl, string certificateIdentifier) { var certificateClient = new CertificateClient(new Uri(keyVaultUrl), defaultAzureCredential); KeyVaultCertificateWithPolicy cert = certificateClient.GetCertificate(certificateIdentifier); return(cert.Cer); }
private HttpClient InitiateHttpClientWithCertificate(string keyvaultName, string certificateName) { var certificateClient = new CertificateClient(new Uri(keyvaultName), new DefaultAzureCredential()); var secretClient = new SecretClient(new Uri(keyvaultName), new DefaultAzureCredential()); var keyvaultCertificateWithPolicy = certificateClient.GetCertificate(certificateName); Uri secretId = keyvaultCertificateWithPolicy.Value.SecretId; var segments = secretId.Segments; string secretName = segments[2].Trim('/'); string version = segments[3].TrimEnd('/'); KeyVaultSecret secret = secretClient.GetSecret(secretName, version); byte[] privateKeyBytes = Convert.FromBase64String(secret.Value); var certificate = new X509Certificate2(privateKeyBytes, ""); var clientHandler = new HttpClientHandler(); clientHandler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) => { return(true); }; clientHandler.ClientCertificateOptions = ClientCertificateOption.Manual; clientHandler.ClientCertificates.Add(certificate); return(new HttpClient(clientHandler)); }
public void HelloWorldSync(string keyVaultUrl) { #region Snippet:CertificatesSample1CertificateClient var client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion #region Snippet:CertificatesSample1CreateCertificate string certName = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp = client.StartCreateCertificate(certName, CertificatePolicy.Default); while (!certOp.HasCompleted) { certOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } #endregion #region Snippet:CertificatesSample1GetCertificateWithPolicy KeyVaultCertificateWithPolicy certificate = client.GetCertificate(certName); Debug.WriteLine($"Certificate was returned with name {certificate.Name} which expires {certificate.Properties.ExpiresOn}"); #endregion #region Snippet:CertificatesSample1UpdateCertificate CertificateProperties certificateProperties = certificate.Properties; certificateProperties.Enabled = false; KeyVaultCertificate updatedCert = client.UpdateCertificateProperties(certificateProperties); Debug.WriteLine($"Certificate enabled set to '{updatedCert.Properties.Enabled}'"); #endregion #region Snippet:CertificatesSample1CreateCertificateWithNewVersion CertificateOperation newCertOp = client.StartCreateCertificate(certificate.Name, certificate.Policy); while (!newCertOp.HasCompleted) { newCertOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } #endregion #region Snippet:CertificatesSample1DeleteCertificate DeleteCertificateOperation operation = client.StartDeleteCertificate(certName); // To ensure certificate is deleted on server side. while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } #endregion // If the keyvault is soft-delete enabled, then for permanent deletion, the deleted certificate needs to be purged. client.PurgeDeletedCertificate(certName); }
public void Add_AddsCertificate() { _adder.Add(CertificateName); var certificate = _client.GetCertificate(CertificateName).Value; certificate.Should().NotBeNull(); certificate.Name.Should().Be(CertificateName); }
// // execute GetCertificate // public string Execute(string certificateIdentifierUrl, string filePath = null, string identity = null) { (Uri keyVaultUri, string certificateName, string certificateVersion) = ValidateAndParseCertificateURL(certificateIdentifierUrl); var MIcredential = new ManagedIdentityCredential(identity); var certificateClient = new CertificateClient(keyVaultUri, MIcredential); // Retrieve a certificate (certificate = certificate and private key bundle in Azure terminology) // PEM (Privacy Enhanced Mail) or PFX (Personal Information Exchange; PKCS#12 archive file format) formats // depends on what content type you set in Azure Key Vault at respective certificate. // Both formats usually contain a certificate (possibly with its assorted set of CA certificates) and the corresponding private key // Download CER format (X.509 certificate) // single certificate, alone and without any wrapping (no private key, no password protection, just the certificate) // not supported try { // certificate (and key) is stored as a secret at the end in Azure string secretIdentifierUrl; if (String.IsNullOrEmpty(certificateVersion)) { // certificate has no specific version: // https://my-key-vault.vault.azure.net/certificates/readThisCertificate KeyVaultCertificateWithPolicy certificateWithPolicy = certificateClient.GetCertificate(certificateName); secretIdentifierUrl = certificateWithPolicy.SecretId.ToString(); } else { // certificate has specific version: // https://my-key-vault.vault.azure.net/certificates/readThisCertificate/103a7355c6094bc78307b2db7b85b3c2 KeyVaultCertificate certificate = certificateClient.GetCertificateVersion(certificateName, certificateVersion); secretIdentifierUrl = certificate.SecretId.ToString(); } // filePath: null means get secret into variable only // otherwise secret may be unintentionally saved to file by GetSecret() method string secret = new GetSecret().Execute(secretIdentifierUrl, filePath: null, identity); if (String.IsNullOrEmpty(filePath)) { // print to stdout return(secret); } else { // creates or overwrites file and saves secret into it File.WriteAllText(filePath, secret); return("Saved"); } } catch (Exception ex) { throw AzmiException.IDCheck(identity, ex); } }
/// <summary> /// Load a certificate from Key Vault, including the private key. /// </summary> /// <param name="keyVaultUrl">URL of Key Vault.</param> /// <param name="certificateName">Name of the certificate.</param> /// <param name="x509KeyStorageFlags">Defines where and how to import the private key of an X.509 certificate.</param> /// <returns>An <see cref="X509Certificate2"/> certificate.</returns> /// <remarks>This code is inspired by Heath Stewart's code in: /// https://github.com/heaths/azsdk-sample-getcert/blob/master/Program.cs#L46-L82. /// </remarks> private static X509Certificate2 LoadFromKeyVault( string keyVaultUrl, string certificateName, X509KeyStorageFlags x509KeyStorageFlags) { Uri keyVaultUri = new Uri(keyVaultUrl); DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions(); options.ManagedIdentityClientId = UserAssignedManagedIdentityClientId; DefaultAzureCredential credential = new DefaultAzureCredential(options); CertificateClient certificateClient = new CertificateClient(keyVaultUri, credential); SecretClient secretClient = new SecretClient(keyVaultUri, credential); KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName); // Return a certificate with only the public key if the private key is not exportable. if (certificate.Policy?.Exportable != true) { return(new X509Certificate2( certificate.Cer, (string?)null, x509KeyStorageFlags)); } // Parse the secret ID and version to retrieve the private key. string[] segments = certificate.SecretId.AbsolutePath.Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries); if (segments.Length != 3) { throw new InvalidOperationException(string.Format( CultureInfo.InvariantCulture, IDWebErrorMessage.IncorrectNumberOfUriSegments, segments.Length, certificate.SecretId)); } string secretName = segments[1]; string secretVersion = segments[2]; KeyVaultSecret secret = secretClient.GetSecret(secretName, secretVersion); // For PEM, you'll need to extract the base64-encoded message body. // .NET 5.0 preview introduces the System.Security.Cryptography.PemEncoding class to make this easier. if (Constants.MediaTypePksc12.Equals(secret.Properties.ContentType, StringComparison.InvariantCultureIgnoreCase)) { return(LoadFromBase64Encoded(secret.Value, x509KeyStorageFlags)); } throw new NotSupportedException( string.Format( CultureInfo.InvariantCulture, IDWebErrorMessage.OnlyPkcs12IsSupported, secret.Properties.ContentType)); }
/// <summary> /// Reads the signing certificate from a location. /// Supported locations: Blob storage, File, Local, KeyVault. /// </summary> /// <param name="certificate"></param> /// <param name="location"></param> /// <param name="log"></param> /// <returns>x509 certificate without private key</returns> private static X509Certificate ReadCertificate(string certificate, Location location, ILogger log) { log.LogInformation($"Reading certificate from {location}..."); X509Certificate x509 = null; try { if (location == Location.File) { x509 = DotNetUtilities.FromX509Certificate( System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(certificate)); } if (location == Location.Local) { using (TextReader reader = new StringReader(certificate)) { Org.BouncyCastle.OpenSsl.PemReader pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); x509 = (X509Certificate)pemReader.ReadObject(); }; } if (location == Location.Blob) { blobClient = new BlobClient(blobConnectionString, blobContainerName, certificate); BlobDownloadInfo download = blobClient.Download(); using (TextReader reader = new StreamReader(download.Content)) { Org.BouncyCastle.OpenSsl.PemReader pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); x509 = (X509Certificate)pemReader.ReadObject(); }; } if (location == Location.KeyVault) { var client = new CertificateClient(new Uri($"https://{keyVaultName}.vault.azure.net"), new DefaultAzureCredential()); keyVaultCertificate = client.GetCertificate(certificate); x509 = new Org.BouncyCastle.X509.X509CertificateParser().ReadCertificate(keyVaultCertificate.Cer); } } catch (Exception ex) { log.LogError(ex.Message); } log.LogInformation($"Finished reading certificate {x509.SubjectDN} from {location}."); return(x509); }
// // // **** Cmdlet start **** // // protected override void ProcessRecord() { var cred = new ManagedIdentityCredential(Identity); WriteVerbose($"Parsing certificate... '{Certificate}'"); (Uri keyVault, string certName, string certVersion) = Shared.ParseUrl(Certificate); WriteVerbose($"Obtaining certificate client for '{keyVault}' using '{Identity}'..."); var certificateClient = new CertificateClient(keyVault, cred); KeyVaultCertificate certObj; WriteVerbose($"Obtaining certificate Id {certName}..."); if (String.IsNullOrEmpty(certVersion)) { certObj = certificateClient.GetCertificate(certName); } else { certObj = certificateClient.GetCertificateVersion(certName, certVersion); } var secretId = certObj.SecretId.ToString(); WriteVerbose($"Obtaining certificate from {secretId}..."); // var gs = new GetSecret() { Secret = secretId, Identity = Identity }; // var cert = (string)gs.Invoke(); // currently throws InvalidCastException // Unable to cast object of type '<Invoke>d__40' to type 'System.String'. // string cert = System.Text.Encoding.UTF32.GetString(certObj.Cer); string cert = Convert.ToBase64String(certObj.Cer); // return value if (String.IsNullOrEmpty(File)) { WriteObject(cert); } else { WriteVerbose($"Saving secret to file {File}..."); System.IO.File.WriteAllText(File, cert); // TODO: Add test for file in current dir // TODO: Candidate for async } }
public void CreateClient() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); #region Snippet:CreateCertificateClient // Create a new certificate client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var client = new CertificateClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential()); // Create a certificate using the certificate client. CertificateOperation operation = client.StartCreateCertificate("MyCertificate", CertificatePolicy.Default); // Retrieve a certificate using the certificate client. KeyVaultCertificateWithPolicy certificate = client.GetCertificate("MyCertificate"); #endregion this.client = client; }
public Saml2Configuration GetSaml2Configuration() { var saml2Configuration = new Saml2Configuration { Issuer = config.Issuer, SignatureAlgorithm = config.SignatureAlgorithm, CertificateValidationMode = config.CertificateValidationMode, RevocationMode = config.RevocationMode }; var certificateClient = new CertificateClient(new Uri(AzureKeyVaultBaseUrl), tokenCredential); var certificateWithPolicy = certificateClient.GetCertificate(AzureKeyVaultCertificateName); var publicCertificate = new X509Certificate2(certificateWithPolicy.Value.Cer); var rsa = RSAFactory.Create(tokenCredential, certificateWithPolicy.Value.KeyId, new Azure.Security.KeyVault.Keys.JsonWebKey(publicCertificate.GetRSAPublicKey())); saml2Configuration.SigningCertificate = new Saml2X509Certificate(publicCertificate, rsa); //saml2Configuration.SignAuthnRequest = true; saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer); var entityDescriptor = new EntityDescriptor(); entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Saml2IdPMetadata)); if (entityDescriptor.IdPSsoDescriptor != null) { saml2Configuration.AllowedIssuer = entityDescriptor.EntityId; saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location; saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location; saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates); } else { throw new Exception("IdPSsoDescriptor not loaded from metadata."); } return(saml2Configuration); }
private static X509Certificate2 GetCertificateFromKeyVault(string keyVaultCertName) { var keyVaultName = Configuration[ConfigKeys.KEY_VAULT_NAME]; Uri vaultUri = new Uri($"https://{keyVaultName}.vault.azure.net/"); var cred = new DefaultAzureCredential(); var client = new CertificateClient(vaultUri: vaultUri, credential: cred); var certResponse = client.GetCertificate(keyVaultCertName); if (certResponse != null && certResponse.Value != null) { string secretName = certResponse.Value.SecretId.Segments[2].TrimEnd('/'); SecretClient secretClient = new SecretClient(vaultUri, cred); KeyVaultSecret secret = secretClient.GetSecret(secretName); byte[] pfx = Convert.FromBase64String(secret.Value); return(new X509Certificate2(pfx)); } else { return(null); } }
public void Delete_Purge_CompletelyRemovedCertificate() { var deleteLogger = _loggerFactory.CreateLogger <KeyVaultCertificateDeleter>(); var addLogger = _loggerFactory.CreateLogger <KeyVaultCertificateAdder>(); var adder = new KeyVaultCertificateAdder(_client, addLogger); adder.Add(_certificateName); var deleter = new KeyVaultCertificateDeleter(_client, deleteLogger); deleter.Delete(new KeyVaultCertificateDeleteEvent { Name = _certificateName, Purge = true }); Action action = () => _client.GetCertificate(_certificateName); action.Should().ThrowExactly <RequestFailedException>().Where(e => e.Message.Contains($"A certificate with (name/id) {_certificateName} was not found in this key vault.", StringComparison.InvariantCultureIgnoreCase)); action = () => _client.GetDeletedCertificate(_certificateName); action.Should().ThrowExactly <RequestFailedException>(); }
public void HelloWorldSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a certificate client that will be used to call the service. Notice that the client is using // default Azure credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a self signed certifiate using the default policy. If the certificiate // already exists in the Key Vault, then a new version of the key is created. string certName = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp = client.StartCreateCertificate(certName); // Next let's wait on the certificate operation to complete. Note that certificate creation can last an indeterministic // amount of time, so applications should only wait on the operation to complete in the case the issuance time is well // known and within the scope of the application lifetime. In this case we are creating a self-signed certificate which // should be issued in a relatively short amount of time. while (!certOp.HasCompleted) { certOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } // Let's get the created certificate along with it's policy from the Key Vault. CertificateWithPolicy certificate = client.GetCertificate(certName); Debug.WriteLine($"Certificate was returned with name {certificate.Name} which expires {certificate.Properties.Expires}"); // We find that the certificate has been compromised and we want to disable it so applications will no longer be able // to access the compromised version of the certificate. CertificateProperties certificateProperties = certificate.Properties; certificateProperties.Enabled = false; Certificate updatedCert = client.UpdateCertificateProperties(certificateProperties); Debug.WriteLine($"Certificate enabled set to '{updatedCert.Properties.Enabled}'"); // We need to create a new version of the certificate that applications can use to replace the compromised certificate. // Creating a certificate with the same name and policy as the compromised certificate will create another version of the // certificate with similar properties to the original certificate CertificateOperation newCertOp = client.StartCreateCertificate(certificate.Name, certificate.Policy); while (!newCertOp.HasCompleted) { newCertOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } // The certificate is no longer needed, need to delete it from the Key Vault. client.DeleteCertificate(certName); // To ensure certificate is deleted on server side. Assert.IsTrue(WaitForDeletedCertificate(client, certName)); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted certificate needs to be purged. client.PurgeDeletedCertificate(certName); }
public void DownloadCertificateSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; #region Snippet:CertificatesSample4CertificateClient CertificateClient client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion string certificateName = $"rsa-{Guid.NewGuid()}"; CertificateOperation operation = client.StartCreateCertificate(certificateName, CertificatePolicy.Default); while (!operation.HasCompleted) { operation.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(10)); } using SHA256 sha = SHA256.Create(); byte[] data = Encoding.UTF8.GetBytes("test"); byte[] hash = sha.ComputeHash(data); #region Snippet:CertificatesSample4DownloadCertificate X509KeyStorageFlags keyStorageFlags = X509KeyStorageFlags.MachineKeySet; if (!RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { keyStorageFlags |= X509KeyStorageFlags.EphemeralKeySet; } DownloadCertificateOptions options = new DownloadCertificateOptions(certificateName) { KeyStorageFlags = keyStorageFlags }; using X509Certificate2 certificate = client.DownloadCertificate(options); using RSA key = certificate.GetRSAPrivateKey(); byte[] signature = key.SignHash(hash, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); Debug.WriteLine($"Signature: {Convert.ToBase64String(signature)}"); #endregion #region Snippet:CertificatesSample4PublicKey Response <KeyVaultCertificateWithPolicy> certificateResponse = client.GetCertificate(certificateName); using X509Certificate2 publicCertificate = new X509Certificate2(certificateResponse.Value.Cer); using RSA publicKey = publicCertificate.GetRSAPublicKey(); bool verified = publicKey.VerifyHash(hash, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); Debug.WriteLine($"Signature verified: {verified}"); #endregion Assert.IsTrue(verified); DeleteCertificateOperation deleteOperation = client.StartDeleteCertificate(certificateName); while (!deleteOperation.HasCompleted) { deleteOperation.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(2)); } client.PurgeDeletedCertificate(certificateName); }
public void HelloWorldSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; #region Snippet:CertificatesSample1CertificateClient CertificateClient client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion #region Snippet:CertificatesSample1CreateCertificate string certName = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp = client.StartCreateCertificate(certName, CertificatePolicy.Default); while (!certOp.HasCompleted) { certOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } #endregion #region Snippet:CertificatesSample1GetCertificateWithPolicy Response <KeyVaultCertificateWithPolicy> certificateResponse = client.GetCertificate(certName); KeyVaultCertificateWithPolicy certificate = certificateResponse.Value; Debug.WriteLine($"Certificate was returned with name {certificate.Name} which expires {certificate.Properties.ExpiresOn}"); #endregion #region Snippet:CertificatesSample1UpdateCertificate CertificateProperties certificateProperties = certificate.Properties; certificateProperties.Enabled = false; Response <KeyVaultCertificate> updatedCertResponse = client.UpdateCertificateProperties(certificateProperties); Debug.WriteLine($"Certificate enabled set to '{updatedCertResponse.Value.Properties.Enabled}'"); #endregion #region Snippet:CertificatesSample1CreateCertificateWithNewVersion CertificateOperation newCertOp = client.StartCreateCertificate(certificate.Name, certificate.Policy); while (!newCertOp.HasCompleted) { newCertOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } #endregion #region Snippet:CertificatesSample1DeleteCertificate DeleteCertificateOperation operation = client.StartDeleteCertificate(certName); // You only need to wait for completion if you want to purge or recover the certificate. while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } #endregion // If the keyvault is soft-delete enabled, then for permanent deletion, the deleted certificate needs to be purged. client.PurgeDeletedCertificate(certName); }
private async Task MigrationGuide() { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_Create CertificateClient client = new CertificateClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_Create #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { CertificateClientOptions options = new CertificateClientOptions { Transport = new HttpClientTransport(httpClient) }; //@@CertificateClient client = new CertificateClient( /*@@*/ CertificateClient _ = new CertificateClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), options); } #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy CertificatePolicy policy = new CertificatePolicy("issuer-name", "CN=customdomain.com") { ContentType = CertificateContentType.Pkcs12, KeyType = CertificateKeyType.Rsa, ReuseKey = true, KeyUsage = { CertificateKeyUsage.CrlSign, CertificateKeyUsage.DataEncipherment, CertificateKeyUsage.DigitalSignature, CertificateKeyUsage.KeyEncipherment, CertificateKeyUsage.KeyAgreement, CertificateKeyUsage.KeyCertSign }, ValidityInMonths = 12, LifetimeActions = { new LifetimeAction(CertificatePolicyAction.AutoRenew) { DaysBeforeExpiry = 90, } } }; #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy //@@CertificatePolicy policy = CertificatePolicy.Default; /*@@*/ policy = CertificatePolicy.Default; #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate // Start certificate creation. // Depending on the policy and your business process, this could even take days for manual signing. CertificateOperation createOperation = await client.StartCreateCertificateAsync("certificate-name", policy); KeyVaultCertificateWithPolicy certificate = await createOperation.WaitForCompletionAsync(TimeSpan.FromSeconds(20), CancellationToken.None); // If you need to restart the application you can recreate the operation and continue awaiting. createOperation = new CertificateOperation(client, "certificate-name"); certificate = await createOperation.WaitForCompletionAsync(TimeSpan.FromSeconds(20), CancellationToken.None); #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate } { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate byte[] cer = File.ReadAllBytes("certificate.pfx"); ImportCertificateOptions importCertificateOptions = new ImportCertificateOptions("certificate-name", cer) { Policy = policy }; KeyVaultCertificateWithPolicy certificate = await client.ImportCertificateAsync(importCertificateOptions); #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate } { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates // List all certificates asynchronously. await foreach (CertificateProperties item in client.GetPropertiesOfCertificatesAsync()) { KeyVaultCertificateWithPolicy certificate = await client.GetCertificateAsync(item.Name); } // List all certificates synchronously. foreach (CertificateProperties item in client.GetPropertiesOfCertificates()) { KeyVaultCertificateWithPolicy certificate = client.GetCertificate(item.Name); } #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates } { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate // Delete the certificate. DeleteCertificateOperation deleteOperation = await client.StartDeleteCertificateAsync("certificate-name"); // Purge or recover the deleted certificate if soft delete is enabled. if (deleteOperation.Value.RecoveryId != null) { // Deleting a certificate does not happen immediately. Wait for the certificate to be deleted. DeletedCertificate deletedCertificate = await deleteOperation.WaitForCompletionAsync(); // Purge the deleted certificate. await client.PurgeDeletedCertificateAsync(deletedCertificate.Name); // You can also recover the deleted certificate using StartRecoverDeletedCertificateAsync, // which returns RecoverDeletedCertificateOperation you can await like DeleteCertificateOperation above. } #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate } }