[Key Vault] Add sample for parsing private key/public certificate from certificate #15863
Conversation
mccoyp
added
KeyVault
Client
| print("Certificate with name '{}' was created".format(created_certificate.name)) | ||
|
|
||
| # Key Vault also creates a secret with the same name as the created certificate. | ||
| # This secret contains protected information about the certificate, such as its private key. |
There was a problem hiding this comment.
To be more precise: the secret contains the certificate's bytes, which include the private key only when the cert's policy marks it exportable (the service documents this here). We should mention that to make it clear there are by-design cases in which Key Vault won't release a cert's private key.
| # Now we can extract the private key and public certificate from the secret using the cryptography | ||
| # package. `additional_certificates` will be empty since the secret only contains one certificate. | ||
| cert_bytes = base64.b64decode(certificate_secret.value) | ||
| private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates( |
There was a problem hiding this comment.
Key Vault supports PEM as well. If these bytes were PEM encoded, you'd want load_pem_private_key instead. I think it's sufficient to mention the encoding depends on the content type set on the certificate policy, and we're showing PKCS12 here because it's the default.
There was a problem hiding this comment.
Got it! I didn't want to provide a PEM example in fear of complicating things, but you're right that it's worth a mention even if we don't walk through an example.
Co-authored-by: Charles Lowell <chlowe@microsoft.com>
…m certificate (Azure#15863) * Add certificate key/cert parsing samples * Thanks, Charles! * Better wording Co-authored-by: Charles Lowell <chlowe@microsoft.com>
This adds two samples,
parse_certificate.pyandparse_certificate_async.py, to the samples folder inazure-keyvault-certificates. They each use the cryptography package to parse the secret associated with a default certificate (and specify a dependency on version 3.3+). They also demonstrate certificate purging, though this can be removed if we think a purge permission dependency is overkill.These are being added because we seem to get questions about fetching the private key for KV certificates fairly often.