| name | azure-keyvault-certificates-rust |
| description | Azure Key Vault Certificates library for Rust. Create, manage, and use X.509 certificates including self-signed and CA-issued.
Triggers: "keyvault certificates rust", "CertificateClient rust", "create certificate rust", "self-signed certificate rust", "X.509 rust".
|
| license | MIT |
| metadata | {"author":"Microsoft","package":"azure_security_keyvault_certificates"} |
Azure Key Vault Certificates library for Rust
Manage X.509 certificates for TLS/SSL, code signing, and authentication.
Use this skill when:
- An app needs to create or manage X.509 certificates in Key Vault from Rust
- You need self-signed or CA-issued certificates
- You need long-running operations (LRO) for certificate issuance
- You need to sign data using a certificate's key
IMPORTANT: Only use the official azure_security_keyvault_certificates crate published by the azure-sdk crates.io user. Do NOT use unofficial or community crates. Official crates use underscores in names and none have version 0.21.0.
Installation
cargo add azure_security_keyvault_certificates azure_identity tokio futures
Do not add azure_core directly to Cargo.toml. It is re-exported by azure_security_keyvault_certificates.
Environment Variables
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/
Authentication
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_certificates::CertificateClient;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let credential = DeveloperToolsCredential::new(None)?;
let client = CertificateClient::new(
"https://<vault-name>.vault.azure.net/",
credential.clone(),
None,
)?;
let cert = client
.get_certificate("cert-name", None)
.await?
.into_model()?;
println!("Certificate: {:?}", cert.id);
Ok(())
}
Core Workflow
Create Self-Signed Certificate (LRO)
Creating a certificate is a long-running operation. Poller<T> implements IntoFuture — just .await:
use azure_security_keyvault_certificates::{
models::{
CertificateCreateParameters, IssuerParameters, SecretProperties,
SubjectAlternativeNames, X509CertificateProperties,
},
ResourceExt,
};
let body = CertificateCreateParameters {
certificate_policy: Some(Box::new(
azure_security_keyvault_certificates::models::CertificatePolicy {
issuer_parameters: Some(IssuerParameters {
name: Some("Self".into()),
..Default::default()
}),
secret_properties: Some(SecretProperties {
content_type: Some("application/x-pkcs12".into()),
..Default::default()
}),
x509_certificate_properties: Some(X509CertificateProperties {
subject: Some("CN=example.com".into()),
subject_alternative_names: Some(SubjectAlternativeNames {
dns_names: Some(vec!["example.com".into()]),
..Default::default()
}),
..Default::default()
}),
..Default::default()
},
)),
..Default::default()
};
let cert = client
.create_certificate("cert-name", body.try_into()?, None)?
.await?
.into_model()?;
println!(
"Name: {:?}, Version: {:?}",
cert.resource_id()?.name,
cert.resource_id()?.version,
);
Update Certificate Properties
use azure_security_keyvault_certificates::models::CertificateUpdateParameters;
use std::collections::HashMap;
#[allow(clippy::needless_update)]
let params = CertificateUpdateParameters {
tags: Some(HashMap::from_iter(vec![("env".into(), "prod".into())])),
..Default::default()
};
client
.update_certificate("cert-name", params.try_into()?, None)
.await?
.into_model()?;
Delete Certificate
client.delete_certificate("cert-name", None).await?;
List Certificates (Pagination)
list_certificate_properties returns a Pager<T> — iterate items directly:
use azure_security_keyvault_certificates::ResourceExt;
use futures::TryStreamExt as _;
let mut pager = client.list_certificate_properties(None)?;
while let Some(cert) = pager.try_next().await? {
println!("Found: {}", cert.resource_id()?.name);
}
Signing with a Certificate's Key
Certificates in Key Vault have an associated key. Use the Key Vault Keys SDK for crypto operations:
use azure_security_keyvault_keys::{
models::{KeySignParameters, SignatureAlgorithm},
KeyClient,
};
let key_client = KeyClient::new(
"https://<vault-name>.vault.azure.net/",
credential.clone(),
None,
)?;
let digest = vec![0u8; 32];
let sign_params = KeySignParameters {
algorithm: Some(SignatureAlgorithm::Es256),
value: Some(digest),
..Default::default()
};
let result = key_client
.sign("cert-name", "", sign_params.try_into()?, None)
.await?
.into_model()?;
println!("Signature: {:?}", result.result);
Certificate Formats
| Format | Content Type | Use Case |
|---|
| PKCS#12 | application/x-pkcs12 | Bundled cert + private key |
| PEM | application/x-pem-file | Base64-encoded, common in Linux/web |
RBAC Roles
For Entra ID auth, assign one of these roles:
| Role | Access |
|---|
Key Vault Certificate User | Use certificates |
Key Vault Certificates Officer | Full certificate management |
Best Practices
- Use
DeveloperToolsCredential for local development and ManagedIdentityCredential for production. The Rust SDK does not support DefaultAzureCredential, so explicitly use the appropriate credential in each environment.
- Use
RequestContent::from() for sign payloads and .into_model() for certificate responses. Wrap operation inputs with RequestContent::from() and convert HTTP responses with .into_model()?.
- Assign appropriate RBAC roles for Entra ID auth. For production authentication using Entra ID, ensure the identity has the necessary RBAC role assigned (e.g., "Key Vault Certificates User" for certificate reads).
- Always verify package versions using crates.io. Before using a package, check its version on crates.io to ensure you are using a stable and supported release.
- Never hardcode credentials — use environment variables or managed identity
- Reuse clients —
CertificateClient is thread-safe; create once, share across tasks
Reference Links
