Get Certificate - Get Certificate
Gets information about a certificate.
Gets information about a specific certificate. This operation requires the certificates/get permission.
GET {vaultBaseUrl}/certificates/{certificate-name}/{certificate-version}?api-version=2025-07-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
certificate-name
|
path | True |
string |
The name of the certificate in the given vault. |
|
certificate-version
|
path | True |
string |
The version of the certificate. This URI fragment is optional. If not specified, the latest version of the certificate is returned. |
|
vault
|
path | True |
string (uri) |
|
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
The request has succeeded. |
|
| Other Status Codes |
An unexpected error response. |
Security
OAuth2Auth
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| https://vault.azure.net/.default |
Examples
GetCertificate
Sample request
GET https://myvault.vault.azure.net//certificates/selfSignedCert01/pending?api-version=2025-07-01
Sample response
{
"id": "https://myvault.vault.azure.net/certificates/selfSignedCert01/f60f2a4f8ae442cfb41ca2090bd4b769",
"kid": "https://myvault.vault.azure.net/keys/selfSignedCert01/f60f2a4f8ae442cfb41ca2090bd4b769",
"sid": "https://myvault.vault.azure.net/secrets/selfSignedCert01/f60f2a4f8ae442cfb41ca2090bd4b769",
"x5t": "fLi3U52HunIVNXubkEnf8tP6Wbo",
"cer": "MIICODCCAeagAwIBAgIQqHmpBAv+CY9IJFoUhlbziTAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTE1MDQyOTIxNTM0MVoXDTM5MTIzMTIzNTk1OVowFzEVMBMGA1UEAxMMS2V5VmF1bHRUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5bVAT73zr4+N4WVv2+SvTunAw08ksS4BrJW/nNliz3S9XuzMBMXvmYzU5HJ8TtEgluBiZZYd5qsMJD+OXHSNbsLdmMhni0jYX09h3XlC2VJw2sGKeYF+xEaavXm337aZZaZyjrFBrrUl51UePaN+kVFXNlBb3N3TYpqa7KokXenJQuR+i9Gv9a77c0UsSsDSryxppYhKK7HvTZCpKrhVtulF5iPMswWe9np3uggfMamyIsK/0L7X9w9B2qN7993RR0A00nOk4H6CnkuwO77dSsD0KJsk6FyAoZBzRXDZh9+d9R76zCL506NcQy/jl0lCiQYwsUX73PG5pxOh02OwKwIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAGqIjo2geVagzuzaZOe1ClGKhZeiCKfWAxklaGN+qlGUbVS4IN4V1lot3VKnzabasmkEHeNxPwLn1qvSD0cX9CE=",
"attributes": {
"enabled": true,
"nbf": 1430344421,
"exp": 2208988799,
"created": 1493938289,
"updated": 1493938291,
"recoveryLevel": "Recoverable+Purgeable"
},
"policy": {
"id": "https://myvault.vault.azure.net/certificates/selfSignedCert01/policy",
"key_props": {
"exportable": true,
"kty": "RSA",
"key_size": 2048,
"reuse_key": false
},
"secret_props": {
"contentType": "application/x-pkcs12"
},
"x509_props": {
"subject": "CN=KeyVaultTest",
"ekus": [],
"key_usage": [],
"validity_months": 297
},
"lifetime_actions": [
{
"trigger": {
"lifetime_percentage": 80
},
"action": {
"action_type": "EmailContacts"
}
}
],
"issuer": {
"name": "Unknown"
},
"attributes": {
"enabled": true,
"created": 1493938289,
"updated": 1493938291
}
}
}Definitions
| Name | Description |
|---|---|
| Action |
The action that will be executed. |
|
Certificate |
The certificate management attributes. |
|
Certificate |
A certificate bundle consists of a certificate (X509) plus its attributes. |
|
Certificate |
Management policy for a certificate. |
|
Certificate |
The type of the action. |
|
Deletion |
Reflects the deletion recovery level currently in effect for secrets in the current vault. If it contains 'Purgeable', the secret can be permanently deleted by a privileged user; otherwise, only the system can purge the secret, at the end of the retention interval. |
| Error | |
|
Issuer |
Parameters for the issuer of the X509 component of a certificate. |
|
Json |
Elliptic curve name. For valid values, see JsonWebKeyCurveName. |
|
Json |
The type of key pair to be used for the certificate. |
|
Key |
Properties of the key pair backing a certificate. |
|
Key |
Supported usages of a certificate key. |
|
Key |
The key vault error exception. |
|
Lifetime |
Action and its trigger that will be performed by Key Vault over the lifetime of a certificate. |
|
Secret |
Properties of the key backing a certificate. |
|
Subject |
The Subject Alternative Names of a X509 object. |
| Trigger |
A condition to be satisfied for an action to be executed. |
|
X509Certificate |
Properties of the X509 component of a certificate. |
Action
The action that will be executed.
| Name | Type | Description |
|---|---|---|
| action_type |
The type of the action. |
CertificateAttributes
The certificate management attributes.
| Name | Type | Description |
|---|---|---|
| created |
integer (unixtime) |
Creation time in UTC. |
| enabled |
boolean |
Determines whether the object is enabled. |
| exp |
integer (unixtime) |
Expiry date in UTC. |
| nbf |
integer (unixtime) |
Not before date in UTC. |
| recoverableDays |
integer (int32) |
softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. |
| recoveryLevel |
Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval. |
|
| updated |
integer (unixtime) |
Last updated time in UTC. |
CertificateBundle
A certificate bundle consists of a certificate (X509) plus its attributes.
| Name | Type | Description |
|---|---|---|
| attributes |
The certificate attributes. |
|
| cer |
string (byte) |
CER contents of x509 certificate. |
| contentType |
string |
The content type of the secret. eg. 'application/x-pem-file' or 'application/x-pkcs12'. |
| id |
string |
The certificate id. |
| kid |
string |
The key id. |
| policy |
The management policy. |
|
| preserveCertOrder |
boolean |
Specifies whether the certificate chain preserves its original order. The default value is false, which sets the leaf certificate at index 0. |
| sid |
string |
The secret id. |
| tags |
object |
Application specific metadata in the form of key-value pairs. |
| x5t |
string (base64url) |
Thumbprint of the certificate. |
CertificatePolicy
Management policy for a certificate.
| Name | Type | Description |
|---|---|---|
| attributes |
The certificate attributes. |
|
| id |
string |
The certificate id. |
| issuer |
Parameters for the issuer of the X509 component of a certificate. |
|
| key_props |
Properties of the key backing a certificate. |
|
| lifetime_actions |
Actions that will be performed by Key Vault over the lifetime of a certificate. |
|
| secret_props |
Properties of the secret backing a certificate. |
|
| x509_props |
Properties of the X509 component of a certificate. |
CertificatePolicyAction
The type of the action.
| Value | Description |
|---|---|
| EmailContacts |
A certificate policy that will email certificate contacts. |
| AutoRenew |
A certificate policy that will auto-renew a certificate. |
DeletionRecoveryLevel
Reflects the deletion recovery level currently in effect for secrets in the current vault. If it contains 'Purgeable', the secret can be permanently deleted by a privileged user; otherwise, only the system can purge the secret, at the end of the retention interval.
| Value | Description |
|---|---|
| Purgeable |
Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.) |
| Recoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered |
| Recoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered |
| Recoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered |
| CustomizedRecoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled. |
| CustomizedRecoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available. |
| CustomizedRecoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7 <= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled. |
Error
| Name | Type | Description |
|---|---|---|
| code |
string |
The error code. |
| innererror |
The key vault server error. |
|
| message |
string |
The error message. |
IssuerParameters
Parameters for the issuer of the X509 component of a certificate.
| Name | Type | Description |
|---|---|---|
| cert_transparency |
boolean |
Indicates if the certificates generated under this policy should be published to certificate transparency logs. |
| cty |
string |
Certificate type as supported by the provider (optional); for example 'OV-SSL', 'EV-SSL' |
| name |
string |
Name of the referenced issuer object or reserved names; for example, 'Self' or 'Unknown'. |
JsonWebKeyCurveName
Elliptic curve name. For valid values, see JsonWebKeyCurveName.
| Value | Description |
|---|---|
| P-256 |
The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. |
| P-384 |
The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. |
| P-521 |
The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. |
| P-256K |
The SECG SECP256K1 elliptic curve. |
JsonWebKeyType
The type of key pair to be used for the certificate.
| Value | Description |
|---|---|
| EC |
Elliptic Curve. |
| EC-HSM |
Elliptic Curve with a private key which is not exportable from the HSM. |
| RSA | |
| RSA-HSM |
RSA with a private key which is not exportable from the HSM. |
| oct |
Octet sequence (used to represent symmetric keys). |
| oct-HSM |
Octet sequence with a private key which is not exportable from the HSM. |
KeyProperties
Properties of the key pair backing a certificate.
| Name | Type | Description |
|---|---|---|
| crv |
Elliptic curve name. For valid values, see JsonWebKeyCurveName. |
|
| exportable |
boolean |
Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. |
| key_size |
integer (int32) |
The key size in bits. For example: 2048, 3072, or 4096 for RSA. |
| kty |
The type of key pair to be used for the certificate. |
|
| reuse_key |
boolean |
Indicates if the same key pair will be used on certificate renewal. |
KeyUsageType
Supported usages of a certificate key.
| Value | Description |
|---|---|
| digitalSignature |
Indicates that the certificate key can be used as a digital signature. |
| nonRepudiation |
Indicates that the certificate key can be used for authentication. |
| keyEncipherment |
Indicates that the certificate key can be used for key encryption. |
| dataEncipherment |
Indicates that the certificate key can be used for data encryption. |
| keyAgreement |
Indicates that the certificate key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm. |
| keyCertSign |
Indicates that the certificate key can be used to sign certificates. |
| cRLSign |
Indicates that the certificate key can be used to sign a certificate revocation list. |
| encipherOnly |
Indicates that the certificate key can be used for encryption only. |
| decipherOnly |
Indicates that the certificate key can be used for decryption only. |
KeyVaultError
The key vault error exception.
| Name | Type | Description |
|---|---|---|
| error |
The key vault server error. |
LifetimeAction
Action and its trigger that will be performed by Key Vault over the lifetime of a certificate.
| Name | Type | Description |
|---|---|---|
| action |
The action that will be executed. |
|
| trigger |
The condition that will execute the action. |
SecretProperties
Properties of the key backing a certificate.
| Name | Type | Description |
|---|---|---|
| contentType |
string |
The media type (MIME type). |
SubjectAlternativeNames
The Subject Alternative Names of a X509 object.
| Name | Type | Description |
|---|---|---|
| dns_names |
string[] |
Domain Names. |
| emails |
string[] |
Email addresses. |
| ipAddresses |
string[] |
IP addresses; supports IPv4 and IPv6. |
| upns |
string[] |
User Principal Names. |
| uris |
string[] |
Uniform Resource Identifiers. |
Trigger
A condition to be satisfied for an action to be executed.
| Name | Type | Description |
|---|---|---|
| days_before_expiry |
integer (int32) |
Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). |
| lifetime_percentage |
integer (int32) minimum: 1maximum: 99 |
Percentage of lifetime at which to trigger. Value should be between 1 and 99. |
X509CertificateProperties
Properties of the X509 component of a certificate.
| Name | Type | Description |
|---|---|---|
| ekus |
string[] |
The enhanced key usage. |
| key_usage |
Defines how the certificate's key may be used. |
|
| sans |
The subject alternative names. |
|
| subject |
string |
The subject name. Should be a valid X509 distinguished Name. |
| validity_months |
integer (int32) minimum: 0 |
The duration that the certificate is valid in months. |