azure-keyvault-certificates-rust

Azure Key Vault Certificates SDK for Rust. Use for creating, importing, and managing certificates.

31,355 stars

Complexity: medium

About this skill

This skill provides a programmatic interface for AI agents to interact with Azure Key Vault's certificate management features using a Rust client library. It empowers agents to securely create new certificates, import existing ones, retrieve certificate details, update, and delete certificates. Designed for developers integrating AI agents with cloud infrastructure, it streamlines automated certificate lifecycle management and ensures secure handling of cryptographic assets for various applications and services. Authentication is handled via Azure Identity.

Best use case

Automating the creation and renewal of TLS/SSL certificates for web services and APIs. Programmatically importing pre-existing certificates (e.g., from an on-premises CA) into Azure Key Vault for centralized management. Managing application-specific client certificates required for secure communication and authentication. Enabling AI agents to provision or update certificates needed by other services or microservices they orchestrate. Implementing automated certificate rotation and expiry monitoring for enhanced security posture.

Azure Key Vault Certificates SDK for Rust. Use for creating, importing, and managing certificates.

Successful creation, import, retrieval, or deletion of certificates within the specified Azure Key Vault. Automated and secure management of certificate lifecycles, reducing manual overhead and human error. Access to certificate details and metadata, allowing agents to make informed decisions or provide status updates. Enhanced security posture for applications by ensuring certificates are properly managed and rotated.

Practical example

Example input

"Create a new self-signed certificate named 'webapp-tls-cert' valid for 365 days in the 'contoso-prod-vault' with subject 'CN=www.contoso.com'."
"Import a PFX certificate file into Azure Key Vault 'app-services-vault' under the name 'legacy-api-auth-cert' from the provided base64 encoded string."
"Retrieve the latest version of the certificate 'backend-service-auth' from Azure Key Vault 'dev-vault' and display its expiry date."

Example output

```json
{
  "status": "success",
  "operation": "certificate_created",
  "certificate_name": "webapp-tls-cert",
  "vault_url": "https://contoso-prod-vault.vault.azure.net/",
  "certificate_id": "https://contoso-prod-vault.vault.azure.net/certificates/webapp-tls-cert/f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6"
}
```
```json
{
  "status": "success",
  "operation": "certificate_imported",
  "certificate_name": "legacy-api-auth-cert",
  "vault_url": "https://app-services-vault.vault.azure.net/",
  "message": "Certificate imported successfully."
}
```
```json
{
  "status": "success",
  "operation": "certificate_retrieved",
  "certificate_name": "backend-service-auth",
  "vault_url": "https://dev-vault.vault.azure.net/",
  "expiry_date": "2027-01-01T12:00:00Z",
  "thumbprint": "A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0"
}
```

When to use this skill

When an AI agent needs to directly manage the lifecycle of certificates stored in Azure Key Vault.
When certificate provisioning, renewal, or import processes need to be automated by an AI system.
When Rust is the preferred language for developing the underlying logic or integrations for the AI agent.
When secure, auditable, and centralized management of cryptographic certificates is a requirement for agent operations.

When not to use this skill

If certificate management is handled entirely manually through the Azure Portal or CLI, without agent involvement.
If the AI agent's tasks do not involve direct interaction with Azure Key Vault certificates.
If a different programming language (e.g., Python, JavaScript) is preferred, as this skill is Rust-specific.
For managing secrets or cryptographic keys, which are separate (though related) functionalities within Azure Key Vault.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/azure-keyvault-certificates-rust/SKILL.md --create-dirs "https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/plugins/antigravity-awesome-skills-claude/skills/azure-keyvault-certificates-rust/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/azure-keyvault-certificates-rust/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How azure-keyvault-certificates-rust Compares

Feature / Agent	azure-keyvault-certificates-rust	Standard Approach
Platform Support	Claude	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	medium	N/A

Frequently Asked Questions

What does this skill do?

Azure Key Vault Certificates SDK for Rust. Use for creating, importing, and managing certificates.

Which AI agents support this skill?

This skill is designed for Claude.

How difficult is it to install?

The installation complexity is rated as medium. You can find the installation instructions above.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

ChatGPT vs Claude for Agent Skills

Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.

SKILL.md Source

# Azure Key Vault Certificates SDK for Rust

Client library for Azure Key Vault Certificates — secure storage and management of certificates.

## Installation

```sh
cargo add azure_security_keyvault_certificates azure_identity
```

## Environment Variables

```bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/
```

## Authentication

```rust
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_certificates::CertificateClient;

let credential = DeveloperToolsCredential::new(None)?;
let client = CertificateClient::new(
    "https://<vault-name>.vault.azure.net/",
    credential.clone(),
    None,
)?;
```

## Core Operations

### Get Certificate

```rust
use azure_core::base64;

let certificate = client
    .get_certificate("certificate-name", None)
    .await?
    .into_model()?;

println!(
    "Thumbprint: {:?}",
    certificate.x509_thumbprint.map(base64::encode_url_safe)
);
```

### Create Certificate

```rust
use azure_security_keyvault_certificates::models::{
    CreateCertificateParameters, CertificatePolicy,
    IssuerParameters, X509CertificateProperties,
};

let policy = CertificatePolicy {
    issuer_parameters: Some(IssuerParameters {
        name: Some("Self".into()),
        ..Default::default()
    }),
    x509_certificate_properties: Some(X509CertificateProperties {
        subject: Some("CN=example.com".into()),
        ..Default::default()
    }),
    ..Default::default()
};

let params = CreateCertificateParameters {
    certificate_policy: Some(policy),
    ..Default::default()
};

let operation = client
    .create_certificate("cert-name", params.try_into()?, None)
    .await?;
```

### Import Certificate

```rust
use azure_security_keyvault_certificates::models::ImportCertificateParameters;

let params = ImportCertificateParameters {
    base64_encoded_certificate: Some(base64_cert_data),
    password: Some("optional-password".into()),
    ..Default::default()
};

let certificate = client
    .import_certificate("cert-name", params.try_into()?, None)
    .await?
    .into_model()?;
```

### Delete Certificate

```rust
client.delete_certificate("certificate-name", None).await?;
```

### List Certificates

```rust
use azure_security_keyvault_certificates::ResourceExt;
use futures::TryStreamExt;

let mut pager = client.list_certificate_properties(None)?.into_stream();
while let Some(cert) = pager.try_next().await? {
    let name = cert.resource_id()?.name;
    println!("Certificate: {}", name);
}
```

### Get Certificate Policy

```rust
let policy = client
    .get_certificate_policy("certificate-name", None)
    .await?
    .into_model()?;
```

### Update Certificate Policy

```rust
use azure_security_keyvault_certificates::models::UpdateCertificatePolicyParameters;

let params = UpdateCertificatePolicyParameters {
    // Update policy properties
    ..Default::default()
};

client
    .update_certificate_policy("cert-name", params.try_into()?, None)
    .await?;
```

## Certificate Lifecycle

1. **Create** — generates new certificate with policy
2. **Import** — import existing PFX/PEM certificate
3. **Get** — retrieve certificate (public key only)
4. **Update** — modify certificate properties
5. **Delete** — soft delete (recoverable)
6. **Purge** — permanent deletion

## Best Practices

1. **Use Entra ID auth** — `DeveloperToolsCredential` for dev
2. **Use managed certificates** — auto-renewal with supported issuers
3. **Set proper validity period** — balance security and maintenance
4. **Use certificate policies** — define renewal and key properties
5. **Monitor expiration** — set up alerts for expiring certificates
6. **Enable soft delete** — required for production vaults

## RBAC Permissions

Assign these Key Vault roles:
- `Key Vault Certificates Officer` — full CRUD on certificates
- `Key Vault Reader` — read certificate metadata

## Reference Links

| Resource | Link |
|----------|------|
| API Reference | https://docs.rs/azure_security_keyvault_certificates |
| Source Code | https://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/keyvault/azure_security_keyvault_certificates |
| crates.io | https://crates.io/crates/azure_security_keyvault_certificates |

## When to Use
This skill is applicable to execute the workflow or actions described in the overview.

Cloud ManagementClaude