Back to Details

azure-keyvault-certificates-rust

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Azure Key Vault Certificates SDK for Rust

适用于Rust的Azure Key Vault Certificates SDK

Client library for Azure Key Vault Certificates — secure storage and management of certificates.
用于Azure Key Vault Certificates的客户端库——安全存储和管理证书。

Installation

安装

sh
cargo add azure_security_keyvault_certificates azure_identity
sh
cargo add azure_security_keyvault_certificates azure_identity

Environment Variables

环境变量

bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/
bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/

Authentication

认证

rust
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_certificates::CertificateClient;

let credential = DeveloperToolsCredential::new(None)?;
let client = CertificateClient::new(
    "https://<vault-name>.vault.azure.net/",
    credential.clone(),
    None,
)?;
rust
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_certificates::CertificateClient;

let credential = DeveloperToolsCredential::new(None)?;
let client = CertificateClient::new(
    "https://<vault-name>.vault.azure.net/",
    credential.clone(),
    None,
)?;

Core Operations

核心操作

Get Certificate

获取证书

rust
use azure_core::base64;

let certificate = client
    .get_certificate("certificate-name", None)
    .await?
    .into_model()?;

println!(
    "Thumbprint: {:?}",
    certificate.x509_thumbprint.map(base64::encode_url_safe)
);
rust
use azure_core::base64;

let certificate = client
    .get_certificate("certificate-name", None)
    .await?
    .into_model()?;

println!(
    "Thumbprint: {:?}",
    certificate.x509_thumbprint.map(base64::encode_url_safe)
);

Create Certificate

创建证书

rust
use azure_security_keyvault_certificates::models::{
    CreateCertificateParameters, CertificatePolicy,
    IssuerParameters, X509CertificateProperties,
};

let policy = CertificatePolicy {
    issuer_parameters: Some(IssuerParameters {
        name: Some("Self".into()),
        ..Default::default()
    }),
    x509_certificate_properties: Some(X509CertificateProperties {
        subject: Some("CN=example.com".into()),
        ..Default::default()
    }),
    ..Default::default()
};

let params = CreateCertificateParameters {
    certificate_policy: Some(policy),
    ..Default::default()
};

let operation = client
    .create_certificate("cert-name", params.try_into()?, None)
    .await?;
rust
use azure_security_keyvault_certificates::models::{
    CreateCertificateParameters, CertificatePolicy,
    IssuerParameters, X509CertificateProperties,
};

let policy = CertificatePolicy {
    issuer_parameters: Some(IssuerParameters {
        name: Some("Self".into()),
        ..Default::default()
    }),
    x509_certificate_properties: Some(X509CertificateProperties {
        subject: Some("CN=example.com".into()),
        ..Default::default()
    }),
    ..Default::default()
};

let params = CreateCertificateParameters {
    certificate_policy: Some(policy),
    ..Default::default()
};

let operation = client
    .create_certificate("cert-name", params.try_into()?, None)
    .await?;

Import Certificate

导入证书

rust
use azure_security_keyvault_certificates::models::ImportCertificateParameters;

let params = ImportCertificateParameters {
    base64_encoded_certificate: Some(base64_cert_data),
    password: Some("optional-password".into()),
    ..Default::default()
};

let certificate = client
    .import_certificate("cert-name", params.try_into()?, None)
    .await?
    .into_model()?;
rust
use azure_security_keyvault_certificates::models::ImportCertificateParameters;

let params = ImportCertificateParameters {
    base64_encoded_certificate: Some(base64_cert_data),
    password: Some("optional-password".into()),
    ..Default::default()
};

let certificate = client
    .import_certificate("cert-name", params.try_into()?, None)
    .await?
    .into_model()?;

Delete Certificate

删除证书

rust
client.delete_certificate("certificate-name", None).await?;
rust
client.delete_certificate("certificate-name", None).await?;

List Certificates

列出证书

rust
use azure_security_keyvault_certificates::ResourceExt;
use futures::TryStreamExt;

let mut pager = client.list_certificate_properties(None)?.into_stream();
while let Some(cert) = pager.try_next().await? {
    let name = cert.resource_id()?.name;
    println!("Certificate: {}", name);
}
rust
use azure_security_keyvault_certificates::ResourceExt;
use futures::TryStreamExt;

let mut pager = client.list_certificate_properties(None)?.into_stream();
while let Some(cert) = pager.try_next().await? {
    let name = cert.resource_id()?.name;
    println!("Certificate: {}", name);
}

Get Certificate Policy

获取证书策略

rust
let policy = client
    .get_certificate_policy("certificate-name", None)
    .await?
    .into_model()?;
rust
let policy = client
    .get_certificate_policy("certificate-name", None)
    .await?
    .into_model()?;

Update Certificate Policy

更新证书策略

rust
use azure_security_keyvault_certificates::models::UpdateCertificatePolicyParameters;

let params = UpdateCertificatePolicyParameters {
    // Update policy properties
    ..Default::default()
};

client
    .update_certificate_policy("cert-name", params.try_into()?, None)
    .await?;
rust
use azure_security_keyvault_certificates::models::UpdateCertificatePolicyParameters;

let params = UpdateCertificatePolicyParameters {
    // 更新策略属性
    ..Default::default()
};

client
    .update_certificate_policy("cert-name", params.try_into()?, None)
    .await?;

Certificate Lifecycle

证书生命周期

  1. Create — generates new certificate with policy
  2. Import — import existing PFX/PEM certificate
  3. Get — retrieve certificate (public key only)
  4. Update — modify certificate properties
  5. Delete — soft delete (recoverable)
  6. Purge — permanent deletion
  1. 创建 — 生成带有策略的新证书
  2. 导入 — 导入现有的PFX/PEM证书
  3. 获取 — 检索证书(仅公钥)
  4. 更新 — 修改证书属性
  5. 删除 — 软删除(可恢复)
  6. 清除 — 永久删除

Best Practices

最佳实践

  1. Use Entra ID auth
    DeveloperToolsCredential
    for dev
  2. Use managed certificates — auto-renewal with supported issuers
  3. Set proper validity period — balance security and maintenance
  4. Use certificate policies — define renewal and key properties
  5. Monitor expiration — set up alerts for expiring certificates
  6. Enable soft delete — required for production vaults
  1. 使用Entra ID认证 — 开发环境使用
    DeveloperToolsCredential
  2. 使用托管证书 — 支持的颁发者可自动续订
  3. 设置合适的有效期 — 平衡安全性与维护成本
  4. 使用证书策略 — 定义续订和密钥属性
  5. 监控过期情况 — 为即将过期的证书设置告警
  6. 启用软删除 — 生产环境保管库必须启用

RBAC Permissions

RBAC权限

Assign these Key Vault roles:
  • Key Vault Certificates Officer
    — full CRUD on certificates
  • Key Vault Reader
    — read certificate metadata
分配以下Key Vault角色:
  • Key Vault Certificates Officer
    — 证书的完整CRUD权限
  • Key Vault Reader
    — 读取证书元数据

Reference Links

参考链接

ResourceLink
API Referencehttps://docs.rs/azure_security_keyvault_certificates
Source Codehttps://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/keyvault/azure_security_keyvault_certificates
crates.iohttps://crates.io/crates/azure_security_keyvault_certificates
资源链接
API参考文档https://docs.rs/azure_security_keyvault_certificates
源代码https://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/keyvault/azure_security_keyvault_certificates
crates.iohttps://crates.io/crates/azure_security_keyvault_certificates