Certificate object

This class represents a certificate stored in a vault. It provides methods for carrying out operations, including encryption and decryption, signing and verification, and wrapping and unwrapping.


export exports the full certificate to a file. The format wll be either PEM or PFX (aka PKCS#12), as set by the format argument when the certificate was created. export_cer exports the public key component, aka the CER file. Note that the public key can also be found in the cer field of the object.

sign uses the key associated with the a certificate to sign a digest, and verify checks a signature against a digest for authenticity. See below for an example of using sign to do OAuth authentication with certificate credentials.

set_policy updates the authentication details of a certificate: its issuer, identity, key type, renewal actions, and so on. get_policy returns the current policy of a certificate.

A certificate can have multiple versions, which are automatically generated when a cert is created with the same name as an existing cert. By default, this object contains the information for the most recent (current) version; use list_versions and set_version to change the version.


For get_policy, a list of certificate policy details.

For list_versions, a data frame containing details of each version.

For set_version, the key object with the updated version.


This class provides the following fields:

  • cer: The contents of the certificate, in CER format.

  • id: The ID of the certificate.

  • kid: The ID of the key backing the certificate.

  • sid: The ID of the secret backing the certificate.

  • contentType: The content type of the secret backing the certificate.

  • policy: The certificate management policy, containing the authentication details.

  • x5t: The thumbprint of the certificate.


This class provides the following methods:

sign(digest, ...)
verify(signature, digest, ...)
set_policy(subject=NULL, x509=NULL, issuer=NULL,
           key=NULL, secret_type=NULL, actions=NULL,
           attributes=NULL, wait=TRUE)

update_attributes(attributes=vault_object_attrs(), ...) list_versions() set_version(version=NULL) delete(confirm=TRUE)


  • file: For export and export_cer, a connection object or a character string naming a file to export to.

  • digest: For sign, a hash digest string to sign. For verify, a digest to compare to a signature.

  • signature: For verify, a signature string.

  • subject,x509,issuer,key,secret_type,actions,wait: These are the same arguments as used when creating a new certificate. See certificates for more information.

  • attributes: For update_attributes, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the vault_object_attrs helper function.

  • ...: For update_attributes, additional key-specific properties to update. For sign and verify, additional arguments for the corresponding key object methods. See keys and key.

  • version: For set_version, the version ID or NULL for the current version.

  • confirm: For delete, whether to ask for confirmation before deleting the key.

See Also


Azure Key Vault documentation, Azure Key Vault API reference

  • certificate
  • cert
vault <- key_vault("mykeyvault")

cert <- vault$certificates$create("mynewcert")

# new version of an existing certificate
vault$certificates$create("mynewcert", x509=cert_x509_properties(validity_months=24))

cert <- vault$certificates$get("mynewcert")
vers <- cert$list_versions()

# updating an existing cert version

## signing a JSON web token (JWT) for authenticating with Azure Active Directory
app <- "app_id"
tenant <- "tenant_id"
claim <- jose::jwt_claim(
    exp=as.numeric(Sys.time() + 60*60),
# header includes cert thumbprint
header <- list(alg="RS256", typ="JWT", x5t=cert$x5t)

token_encode <- function(x)
    jose::base64url_encode(jsonlite::toJSON(x, auto_unbox=TRUE))
token_contents <- paste(token_encode(header), token_encode(claim), sep=".")

# get the signature and concatenate it with header and claim to form JWT
sig <- cert$sign(openssl::sha256(charToRaw(token_contents)))
cert_creds <- paste(token_contents, sig, sep=".")

AzureAuth::get_azure_token("resource_url", tenant, app, certificate=cert_creds)

# }
Documentation reproduced from package AzureKeyVault, version 1.0.0, License: MIT + file LICENSE

Community examples

Looks like there are no examples yet.