| certificate {AzureKeyVault} | R Documentation |
Certificate object
Description
This class represents a certificate stored in a vault. It provides methods for carrying out operations, including encryption and decryption, signing and verification, and wrapping and unwrapping.
Fields
This class provides the following fields:
-
cer: The contents of the certificate, in CER format. -
id: The ID of the certificate. -
kid: The ID of the key backing the certificate. -
sid: The ID of the secret backing the certificate. -
contentType: The content type of the secret backing the certificate. -
policy: The certificate management policy, containing the authentication details. -
x5t: The thumbprint of the certificate.
Methods
This class provides the following methods:
export(file)
export_cer(file)
sign(digest, ...)
verify(signature, digest, ...)
set_policy(subject=NULL, x509=NULL, issuer=NULL,
key=NULL, secret_type=NULL, actions=NULL,
attributes=NULL, wait=TRUE)
get_policy()
sync()
update_attributes(attributes=vault_object_attrs(), ...)
list_versions()
set_version(version=NULL)
delete(confirm=TRUE)
Arguments
-
file: Forexportandexport_cer, a connection object or a character string naming a file to export to. -
digest: Forsign, a hash digest string to sign. Forverify, a digest to compare to a signature. -
signature: Forverify, a signature string. -
subject,x509,issuer,key,secret_type,actions,wait: These are the same arguments as used when creating a new certificate. See certificates for more information. -
attributes: Forupdate_attributes, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the vault_object_attrs helper function. -
...: Forupdate_attributes, additional key-specific properties to update. Forsignandverify, additional arguments for the corresponding key object methods. See keys and key. -
version: Forset_version, the version ID or NULL for the current version. -
confirm: Fordelete, whether to ask for confirmation before deleting the key.
Details
export exports the full certificate to a file. The format wll be either PEM or PFX (aka PKCS#12), as set by the format argument when the certificate was created. export_cer exports the public key component, aka the CER file. Note that the public key can also be found in the cer field of the object.
sign uses the key associated with the a certificate to sign a digest, and verify checks a signature against a digest for authenticity. See below for an example of using sign to do OAuth authentication with certificate credentials.
set_policy updates the authentication details of a certificate: its issuer, identity, key type, renewal actions, and so on. get_policy returns the current policy of a certificate.
A certificate can have multiple versions, which are automatically generated when a cert is created with the same name as an existing cert. By default, this object contains the information for the most recent (current) version; use list_versions and set_version to change the version.
Value
For get_policy, a list of certificate policy details.
For list_versions, a data frame containing details of each version.
For set_version, the key object with the updated version.
See Also
Azure Key Vault documentation, Azure Key Vault API reference
Examples
## Not run:
vault <- key_vault("mykeyvault")
cert <- vault$certificates$create("mynewcert")
cert$cer
cert$export("mynewcert.pem")
# new version of an existing certificate
vault$certificates$create("mynewcert", x509=cert_x509_properties(validity_months=24))
cert <- vault$certificates$get("mynewcert")
vers <- cert$list_versions()
cert$set_version(vers[2])
# updating an existing cert version
cert$set_policy(x509=cert_x509_properties(validity_months=12))
## signing a JSON web token (JWT) for authenticating with Azure Active Directory
app <- "app_id"
tenant <- "tenant_id"
claim <- jose::jwt_claim(
iss=app,
sub=app,
aud="https://login.microsoftonline.com/tenant_id/oauth2/token",
exp=as.numeric(Sys.time() + 60*60),
nbf=as.numeric(Sys.time())
)
# header includes cert thumbprint
header <- list(alg="RS256", typ="JWT", x5t=cert$x5t)
token_encode <- function(x)
{
jose::base64url_encode(jsonlite::toJSON(x, auto_unbox=TRUE))
}
token_contents <- paste(token_encode(header), token_encode(claim), sep=".")
# get the signature and concatenate it with header and claim to form JWT
sig <- cert$sign(openssl::sha256(charToRaw(token_contents)))
cert_creds <- paste(token_contents, sig, sep=".")
AzureAuth::get_azure_token("resource_url", tenant, app, certificate=cert_creds)
## End(Not run)