证书访问控制Certificate Access Control

证书的访问控制由 Key Vault 托管,并且由包含这些证书的 Key Vault 提供。Access control for certificates is managed by Key Vault, and is provided by the Key Vault that contains those certificates. 在同一 Key Vault 中,证书的访问控制策略不同于密钥和机密的访问控制策略。The access control policy for certificates is distinct from the access control policies for keys and secrets in the same Key Vault. 用户可以创建一个或多个保管库来保存证书,以维护方案相应的证书分段和管理。Users may create one or more vaults to hold certificates, to maintain scenario appropriate segmentation and management of certificates.

在密钥保管库上的机密访问控制条目中可以按主体使用以下权限,这些权限对机密对象上允许的操作采取严密的镜像操作:The following permissions can be used, on a per-principal basis, in the secrets access control entry on a key vault, and closely mirrors the operations allowed on a secret object:

  • 针对证书管理操作的权限Permissions for certificate management operations

    • get:获取最新版本的证书或任何版本的证书get: Get the current certificate version, or any version of a certificate
    • list:列出最新版本的证书或任何版本的证书list: List the current certificates, or versions of a certificate
    • update:更新证书update: Update a certificate
    • create:创建 Key Vault 证书create: Create a Key Vault certificate
    • import:将证书材料导入到 Key Vault 证书import: Import certificate material into a Key Vault certificate
    • delete:删除证书、策略及其所有版本delete: Delete a certificate, its policy, and all of its versions
    • recover:恢复已删除的证书recover: Recover a deleted certificate
    • backup:备份密钥保管库中的证书backup: Backup a certificate in a key vault
    • restore:将备份证书还原到密钥保管库restore: Restore a backed-up certificate to a key vault
    • managecontacts:管理 Key Vault 证书联系人managecontacts: Manage Key Vault certificate contacts
    • manageissuers:管理 Key Vault 证书颁发机构/颁发者manageissuers: Manage Key Vault certificate authorities/issuers
    • getissuers:获取证书的颁发机构/颁发者getissuers: Get a certificate's authorities/issuers
    • listissuers:列出证书的颁发机构/颁发者listissuers: List a certificate's authorities/issuers
    • setissuers:创建或更新 Key Vault 证书的颁发机构/颁发者setissuers: Create or update a Key Vault certificate's authorities/issuers
    • deleteissuers:删除 Key Vault 证书的颁发机构/颁发者deleteissuers: Delete a Key Vault certificate's authorities/issuers
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)已删除的证书purge: Purge (permanently delete) a deleted certificate

有关详细信息,请参阅 Key Vault REST API 中的证书操作参考For more information, see the Certificate operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 更新访问策略For information on establishing permissions, see Vaults - Update Access Policy.

故障排除Troubleshoot

由于缺少访问策略,可能会出现错误。You may see error due to missing access policy. 例如 Error type : Access denied or user is unauthorized to create certificate。要解决此错误,需要添加证书/创建权限。For example Error type : Access denied or user is unauthorized to create certificate To resolve this error, you would need to add certificates/create permission.

后续步骤Next steps