Azure · azure-sdk · May 18, 2026 · May 21, 2026 · May 25, 2026
@@ -1,14 +1,12 @@
 # Release History
 
-## 1.5.0-beta.2 (Unreleased)
-
+## 1.5.0-beta.2 (2026-05-18)
 ### Features Added
 
-### Breaking Changes
-
-### Bugs Fixed
+- New struct `PlatformManaged`
+- New field `PlatformManaged` in struct `CertificatePolicy`
+- New function `NewPlatformManaged`
 
-### Other Changes
 
 ## 1.5.0-beta.1 (2026-04-08)
 

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "go",
   "TagPrefix": "go/security/keyvault/azcertificates",
-  "Tag": "go/security/keyvault/azcertificates_6fa8ef386c"
+  "Tag": "go/security/keyvault/azcertificates_fa9d1951e5"
 }
@@ -25,6 +25,14 @@ type ClientOptions struct {
 	DisableChallengeResourceVerification bool
 }
 
+// NewPlatformManaged creates a PlatformManaged certificate policy configuration.
+func NewPlatformManaged(certificateUsage string, metadata map[string]any) *PlatformManaged {
+	return &PlatformManaged{
+		CertificateUsage: &certificateUsage,
+		Metadata:         metadata,
+	}
+}
+
 // NewClient creates a client that accesses a Key Vault's certificates. You should validate that
 // vaultURL references a valid Key Vault. See https://aka.ms/azsdk/blog/vault-uri for details.
 func NewClient(vaultURL string, credential azcore.TokenCredential, options *ClientOptions) (*Client, error) {

@@ -0,0 +1,142 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+package azcertificates
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewPlatformManaged(t *testing.T) {
+	metadata := map[string]any{
+		"issuer":       "internal-ca",
+		"rotationDays": 90,
+	}
+
+	pm := NewPlatformManaged("tls-server", metadata)
+
+	require.NotNil(t, pm.CertificateUsage)
+	require.Equal(t, "tls-server", *pm.CertificateUsage)
+	require.Equal(t, metadata, pm.Metadata)
+}
+
+func TestNewPlatformManagedNilMetadata(t *testing.T) {
+	pm := NewPlatformManaged("tls-server", nil)
+
+	require.NotNil(t, pm.CertificateUsage)
+	require.Equal(t, "tls-server", *pm.CertificateUsage)
+	require.Nil(t, pm.Metadata)
+
+	data, err := json.Marshal(pm)
+	require.NoError(t, err)
+	require.JSONEq(t, `{
+		"certificateUsage": "tls-server"
+	}`, string(data))
+}
+
+func TestPlatformManagedSerde(t *testing.T) {
+	policy := CertificatePolicy{
+		IssuerParameters: &IssuerParameters{Name: to.Ptr("Self")},
+		PlatformManaged: NewPlatformManaged("tls-server", map[string]any{
+			"issuer": "internal-ca",
+			"nested": map[string]any{
+				"enabled": true,
+			},
+			"usages": []any{"server", "client"},
+		}),
+	}
+
+	data, err := json.Marshal(policy)
+	require.NoError(t, err)
+	require.JSONEq(t, `{
+		"issuer": {"name": "Self"},
+		"platformManaged": {
+			"certificateUsage": "tls-server",
+			"metadata": {
+				"issuer": "internal-ca",
+				"nested": {"enabled": true},
+				"usages": ["server", "client"]
+			}
+		}
+	}`, string(data))
+
+	var roundTrip CertificatePolicy
+	err = json.Unmarshal(data, &roundTrip)
+	require.NoError(t, err)
+	require.NotNil(t, roundTrip.PlatformManaged)
+	require.NotNil(t, roundTrip.PlatformManaged.CertificateUsage)
+	require.Equal(t, "tls-server", *roundTrip.PlatformManaged.CertificateUsage)
+	require.Equal(t, "internal-ca", roundTrip.PlatformManaged.Metadata["issuer"])
+	require.Equal(t, map[string]any{"enabled": true}, roundTrip.PlatformManaged.Metadata["nested"])
+	require.Equal(t, []any{"server", "client"}, roundTrip.PlatformManaged.Metadata["usages"])
+}
+
+func TestCreateCertificateRequestIncludesPlatformManaged(t *testing.T) {
+	client := &Client{vaultBaseUrl: "https://fakevault.vault.azure.net"}
+	parameters := CreateCertificateParameters{
+		CertificatePolicy: &CertificatePolicy{
+			IssuerParameters: &IssuerParameters{Name: to.Ptr("Self")},
+			PlatformManaged: NewPlatformManaged("tls-server", map[string]any{
+				"issuer":       "internal-ca",
+				"rotationDays": 90,
+			}),
+		},
+	}
+
+	req, err := client.createCertificateCreateRequest(context.Background(), "cert-name", parameters, nil)
+	require.NoError(t, err)
+	require.Equal(t, version20260301Preview, req.Raw().URL.Query().Get("api-version"))
+
+	body, err := io.ReadAll(req.Raw().Body)
+	require.NoError(t, err)
+	require.JSONEq(t, `{
+		"policy": {
+			"issuer": {"name": "Self"},
+			"platformManaged": {
+				"certificateUsage": "tls-server",
+				"metadata": {
+					"issuer": "internal-ca",
+					"rotationDays": 90
+				}
+			}
+		}
+	}`, string(body))
+}
+
+func TestUpdateCertificatePolicyRequestIncludesPlatformManaged(t *testing.T) {
+	client := &Client{vaultBaseUrl: "https://fakevault.vault.azure.net"}
+	policy := CertificatePolicy{
+		IssuerParameters: &IssuerParameters{Name: to.Ptr("Self")},
+		PlatformManaged: NewPlatformManaged("tls-client", map[string]any{
+			"issuer": "internal-ca",
+			"renewal": map[string]any{
+				"enabled": true,
+			},
+		}),
+	}
+
+	req, err := client.updateCertificatePolicyCreateRequest(context.Background(), "cert-name", policy, nil)
+	require.NoError(t, err)
+	require.Equal(t, version20260301Preview, req.Raw().URL.Query().Get("api-version"))
+
+	body, err := io.ReadAll(req.Raw().Body)
+	require.NoError(t, err)
+	require.JSONEq(t, `{
+		"issuer": {"name": "Self"},
+		"platformManaged": {
+			"certificateUsage": "tls-client",
+			"metadata": {
+				"issuer": "internal-ca",
+				"renewal": {
+					"enabled": true
+				}
+			}
+		}
+	}`, string(body))
+}