Skip to content

Latest commit

 

History

History
51 lines (41 loc) · 2.76 KB

certificate-access-control.md

File metadata and controls

51 lines (41 loc) · 2.76 KB
Raw
title description services author ms.service ms.subservice ms.topic ms.date ms.author
About Azure Key Vault Certificates access control
Overview of Azure Key Vault certificates access control
key-vault
sebansal
key-vault
certificates
overview
01/30/2024
sebansal

Certificate Access Control

Access control for certificates is managed by Key Vault, and is provided by the Key Vault that contains those certificates. The access control policy for certificates is distinct from the access control policies for keys and secrets in the same Key Vault. Users may create one or more vaults to hold certificates, to maintain scenario appropriate segmentation and management of certificates.

The following permissions can be used, on a per-principal basis, in the secrets access control entry on a key vault, and closely mirrors the operations allowed on a secret object:

  • Permissions for certificate management operations

    • get: Get the current certificate version, or any version of a certificate
    • list: List the current certificates, or versions of a certificate
    • update: Update a certificate
    • create: Create a Key Vault certificate
    • import: Import certificate material into a Key Vault certificate
    • delete: Delete a certificate, its policy, and all of its versions
    • recover: Recover a deleted certificate
    • backup: Back up a certificate in a key vault
    • restore: Restore a backed-up certificate to a key vault
    • managecontacts: Manage Key Vault certificate contacts
    • manageissuers: Manage Key Vault certificate authorities/issuers
    • getissuers: Get a certificate's authorities/issuers
    • listissuers: List a certificate's authorities/issuers
    • setissuers: Create or update a Key Vault certificate's authorities/issuers
    • deleteissuers: Delete a Key Vault certificate's authorities/issuers

  • Permissions for privileged operations

    • purge: Purge (permanently delete) a deleted certificate

For more information, see the Certificate operations in the Key Vault REST API reference. For information on establishing permissions, see Vaults - Update Access Policy.

Troubleshoot

You may see error due to missing access policy. For example Error type : Access denied or user is unauthorized to create certificate To resolve this error, you would need to add certificates/create permission.

Next steps