diff --git a/eng/versioning/version_client.txt b/eng/versioning/version_client.txt
index 5c69998dac68..0db93c5fc7c8 100644
--- a/eng/versioning/version_client.txt
+++ b/eng/versioning/version_client.txt
@@ -185,7 +185,7 @@ com.azure:azure-search-perf;1.0.0-beta.1;1.0.0-beta.1
com.azure:azure-security-attestation;1.1.39;1.2.0-beta.1
com.azure:azure-security-confidentialledger;1.0.35;1.1.0-beta.3
com.azure:azure-security-keyvault-administration;4.7.7;4.8.0
-com.azure:azure-security-keyvault-certificates;4.8.7;4.9.0
+com.azure:azure-security-keyvault-certificates;4.9.0;4.10.0-beta.1
com.azure:azure-security-keyvault-jca;2.11.0;2.12.0-beta.1
com.azure:azure-security-test-keyvault-jca;1.0.0;1.0.0
com.azure:azure-security-keyvault-keys;4.10.7;4.11.0
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/CHANGELOG.md b/sdk/keyvault/azure-security-keyvault-certificates/CHANGELOG.md
index 1e48b947d6d4..97e79d8aa56e 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/CHANGELOG.md
+++ b/sdk/keyvault/azure-security-keyvault-certificates/CHANGELOG.md
@@ -1,5 +1,12 @@
# Release History
+## 4.10.0-beta.1 (2026-05-29)
+
+### Features Added
+
+- Added an experimental `models.PlatformManaged` certificate policy property for Azure Key Vault internal usage.
+ Any calls using this property will fail and it is not recommended to be used at this point.
+
## 4.9.0 (2026-05-26)
### Features Added
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/customizations/src/main/java/CertificatesCustomizations.java b/sdk/keyvault/azure-security-keyvault-certificates/customizations/src/main/java/CertificatesCustomizations.java
index a71342b48b72..35d17c4ef6f3 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/customizations/src/main/java/CertificatesCustomizations.java
+++ b/sdk/keyvault/azure-security-keyvault-certificates/customizations/src/main/java/CertificatesCustomizations.java
@@ -104,7 +104,7 @@ private static void customizeServiceVersion(LibraryCustomization customization)
.setJavadocComment("The versions of Azure Key Vault Certificates supported by this client library.");
for (String version : Arrays.asList("7.0", "7.1", "7.2", "7.3", "7.4", "7.5", "7.6",
- "2025-07-01")) {
+ "2025-07-01", "2026-03-01-preview")) {
enumDeclaration.addEnumConstant("V" + version.replace('.', '_').replace('-', '_').toUpperCase())
.setJavadocComment("Service version {@code " + version + "}.")
.addArgument(new StringLiteralExpr(version));
@@ -121,6 +121,10 @@ private static void customizeServiceVersion(LibraryCustomization customization)
.addMarkerAnnotation("Override")
.setBody(StaticJavaParser.parseBlock("{ return this.version; }"));
+ // Intentionally pin getLatest() to V2025_07_01. V2026_03_01_PREVIEW exposes the PlatformManaged
+ // certificate policy property, which is reserved for internal (1P) Key Vault use. Defaulting 3P
+ // customers to the preview version would invalidate existing recordings without unlocking new
+ // functionality for them; bump this only when a stable version supersedes V2025_07_01.
enumDeclaration.addMethod("getLatest", Modifier.Keyword.PUBLIC, Modifier.Keyword.STATIC)
.setType("CertificateServiceVersion")
.setJavadocComment(new Javadoc(parseText("Gets the latest service version supported by this client library."))
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/pom.xml b/sdk/keyvault/azure-security-keyvault-certificates/pom.xml
index 93f14a991d3f..e9fab21bf3a4 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/pom.xml
+++ b/sdk/keyvault/azure-security-keyvault-certificates/pom.xml
@@ -12,7 +12,7 @@
com.azure
azure-security-keyvault-certificates
- 4.9.0
+ 4.10.0-beta.1
Microsoft Azure client library for KeyVault Certificates
This module contains client library for Microsoft Azure KeyVault Certificates.
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/CertificateServiceVersion.java b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/CertificateServiceVersion.java
index 7a0f4d699c97..7186a9d7debe 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/CertificateServiceVersion.java
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/CertificateServiceVersion.java
@@ -41,7 +41,11 @@ public enum CertificateServiceVersion implements ServiceVersion {
/**
* Service version {@code 2025-07-01}.
*/
- V2025_07_01("2025-07-01");
+ V2025_07_01("2025-07-01"),
+ /**
+ * Service version {@code 2026-03-01-preview}.
+ */
+ V2026_03_01_PREVIEW("2026-03-01-preview");
private final String version;
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/implementation/models/CertificatePolicy.java b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/implementation/models/CertificatePolicy.java
index 53a264bf40ed..33d119801517 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/implementation/models/CertificatePolicy.java
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/implementation/models/CertificatePolicy.java
@@ -10,6 +10,7 @@
import com.azure.json.JsonSerializable;
import com.azure.json.JsonToken;
import com.azure.json.JsonWriter;
+import com.azure.security.keyvault.certificates.models.PlatformManaged;
import java.io.IOException;
import java.util.List;
@@ -60,6 +61,12 @@ public final class CertificatePolicy implements JsonSerializable writer.writeJson(element));
jsonWriter.writeJsonField("issuer", this.issuerParameters);
jsonWriter.writeJsonField("attributes", this.attributes);
+ jsonWriter.writeJsonField("platformManaged", this.platformManaged);
return jsonWriter.writeEndObject();
}
@@ -259,6 +291,8 @@ public static CertificatePolicy fromJson(JsonReader jsonReader) throws IOExcepti
deserializedCertificatePolicy.issuerParameters = IssuerParameters.fromJson(reader);
} else if ("attributes".equals(fieldName)) {
deserializedCertificatePolicy.attributes = CertificateAttributes.fromJson(reader);
+ } else if ("platformManaged".equals(fieldName)) {
+ deserializedCertificatePolicy.platformManaged = PlatformManaged.fromJson(reader);
} else {
reader.skipChildren();
}
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/models/CertificatePolicy.java b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/models/CertificatePolicy.java
index 09f1abc13dde..c161da644187 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/models/CertificatePolicy.java
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/models/CertificatePolicy.java
@@ -426,6 +426,26 @@ public Boolean isCertificateTransparent() {
return impl.getIssuerParameters().isCertificateTransparency();
}
+ /**
+ * Get the platform managed certificate configuration.
+ *
+ * @return the platform managed certificate configuration.
+ */
+ public PlatformManaged getPlatformManaged() {
+ return impl.getPlatformManaged();
+ }
+
+ /**
+ * Set the platform managed certificate configuration.
+ *
+ * @param platformManaged the platform managed certificate configuration.
+ * @return the updated CertificatePolicy object itself.
+ */
+ public CertificatePolicy setPlatformManaged(PlatformManaged platformManaged) {
+ impl.setPlatformManaged(platformManaged);
+ return this;
+ }
+
/**
* Set the lifetime actions
* @param actions the lifetime actions to set.
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/models/PlatformManaged.java b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/models/PlatformManaged.java
new file mode 100644
index 000000000000..5e1b5246783b
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/models/PlatformManaged.java
@@ -0,0 +1,120 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.certificates.models;
+
+import com.azure.core.annotation.Fluent;
+import com.azure.json.JsonReader;
+import com.azure.json.JsonSerializable;
+import com.azure.json.JsonToken;
+import com.azure.json.JsonWriter;
+
+import java.io.IOException;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Properties of the platform managed certificate.
+ */
+@Fluent
+public final class PlatformManaged implements JsonSerializable {
+ /*
+ * The intended usage of the certificate.
+ */
+ private String certificateUsage;
+
+ /*
+ * JSON-formatted platform managed metadata.
+ */
+ private Map metadata;
+
+ /**
+ * Creates an instance of {@link PlatformManaged}.
+ *
+ * @param certificateUsage The intended usage of the certificate.
+ */
+ public PlatformManaged(String certificateUsage) {
+ this.certificateUsage = Objects.requireNonNull(certificateUsage, "'certificateUsage' cannot be null.");
+ }
+
+ private PlatformManaged() {
+ }
+
+ /**
+ * Get the certificate usage.
+ *
+ * @return the certificate usage.
+ */
+ public String getCertificateUsage() {
+ return this.certificateUsage;
+ }
+
+ /**
+ * Set the certificate usage.
+ *
+ * @param certificateUsage the certificate usage.
+ * @return the updated PlatformManaged object itself.
+ */
+ public PlatformManaged setCertificateUsage(String certificateUsage) {
+ this.certificateUsage = Objects.requireNonNull(certificateUsage, "'certificateUsage' cannot be null.");
+ return this;
+ }
+
+ /**
+ * Get the platform managed metadata.
+ *
+ * @return the platform managed metadata.
+ */
+ public Map getMetadata() {
+ return this.metadata;
+ }
+
+ /**
+ * Set the platform managed metadata.
+ *
+ * @param metadata the platform managed metadata.
+ * @return the updated PlatformManaged object itself.
+ */
+ public PlatformManaged setMetadata(Map metadata) {
+ this.metadata = metadata;
+ return this;
+ }
+
+ @Override
+ public JsonWriter toJson(JsonWriter jsonWriter) throws IOException {
+ jsonWriter.writeStartObject();
+ jsonWriter.writeStringField("certificateUsage", this.certificateUsage);
+ if (this.metadata != null) {
+ jsonWriter.writeUntypedField("metadata", this.metadata);
+ }
+ return jsonWriter.writeEndObject();
+ }
+
+ /**
+ * Reads an instance of PlatformManaged from the JsonReader.
+ *
+ * @param jsonReader The JsonReader being read.
+ * @return An instance of PlatformManaged if the JsonReader was pointing to an instance of it, or null if it was
+ * pointing to JSON null.
+ * @throws IOException If an error occurs while reading the PlatformManaged.
+ */
+ public static PlatformManaged fromJson(JsonReader jsonReader) throws IOException {
+ return jsonReader.readObject(reader -> {
+ PlatformManaged deserializedPlatformManaged = new PlatformManaged();
+ while (reader.nextToken() != JsonToken.END_OBJECT) {
+ String fieldName = reader.getFieldName();
+ reader.nextToken();
+
+ if ("certificateUsage".equals(fieldName)) {
+ deserializedPlatformManaged.certificateUsage = reader.getString();
+ } else if ("metadata".equals(fieldName)) {
+ deserializedPlatformManaged.metadata = reader.readMap(JsonReader::readUntyped);
+ } else {
+ reader.skipChildren();
+ }
+ }
+
+ return deserializedPlatformManaged;
+ });
+ }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateAsyncClientTest.java b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateAsyncClientTest.java
index b7bd7a4ac43d..c583df13f3a9 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateAsyncClientTest.java
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateAsyncClientTest.java
@@ -570,6 +570,24 @@ public void updateCertificatePolicy(HttpClient httpClient, CertificateServiceVer
});
}
+ @ParameterizedTest(name = DISPLAY_NAME_WITH_ARGUMENTS, allowZeroInvocations = true)
+ @MethodSource("getPlatformManagedTestParameters")
+ public void createCertificateWithPlatformManagedPolicy(HttpClient httpClient,
+ CertificateServiceVersion serviceVersion) {
+ createCertificateAsyncClient(httpClient, serviceVersion);
+
+ platformManagedCertificatePolicyRunner(certificateName -> {
+ CertificatePolicy policy = setupPlatformManagedPolicy();
+ PollerFlux certPoller
+ = setPlaybackPollerFluxPollInterval(
+ certificateAsyncClient.beginCreateCertificate(certificateName, policy));
+
+ StepVerifier.create(certPoller.last().flatMap(AsyncPollResponse::getFinalResult))
+ .assertNext(certificate -> assertPlatformManagedPolicy(policy, certificate.getPolicy()))
+ .verifyComplete();
+ });
+ }
+
@ParameterizedTest(name = DISPLAY_NAME_WITH_ARGUMENTS)
@MethodSource("getTestParameters")
public void restoreCertificateFromMalformedBackup(HttpClient httpClient, CertificateServiceVersion serviceVersion) {
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTest.java b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTest.java
index 0e6d5716fe92..efe0c19909d0 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTest.java
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTest.java
@@ -570,6 +570,24 @@ public void updateCertificatePolicy(HttpClient httpClient, CertificateServiceVer
});
}
+ @ParameterizedTest(name = DISPLAY_NAME_WITH_ARGUMENTS, allowZeroInvocations = true)
+ @MethodSource("getPlatformManagedTestParameters")
+ public void createCertificateWithPlatformManagedPolicy(HttpClient httpClient,
+ CertificateServiceVersion serviceVersion) {
+ createCertificateClient(httpClient, serviceVersion);
+
+ platformManagedCertificatePolicyRunner(certificateName -> {
+ CertificatePolicy policy = setupPlatformManagedPolicy();
+ SyncPoller certPoller
+ = setPlaybackSyncPollerPollInterval(certificateClient.beginCreateCertificate(certificateName, policy));
+
+ certPoller.waitForCompletion();
+
+ KeyVaultCertificateWithPolicy certificate = certPoller.getFinalResult();
+ assertPlatformManagedPolicy(policy, certificate.getPolicy());
+ });
+ }
+
@ParameterizedTest(name = DISPLAY_NAME_WITH_ARGUMENTS)
@MethodSource("getTestParameters")
public void restoreCertificateFromMalformedBackup(HttpClient httpClient, CertificateServiceVersion serviceVersion) {
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTestBase.java b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTestBase.java
index bafec5f3565b..643df3635499 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTestBase.java
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/CertificateClientTestBase.java
@@ -34,6 +34,7 @@
import com.azure.security.keyvault.certificates.models.ImportCertificateOptions;
import com.azure.security.keyvault.certificates.models.KeyVaultCertificate;
import com.azure.security.keyvault.certificates.models.LifetimeAction;
+import com.azure.security.keyvault.certificates.models.PlatformManaged;
import com.azure.security.keyvault.certificates.models.SubjectAlternativeNames;
import com.azure.security.keyvault.certificates.models.WellKnownIssuerNames;
import org.junit.jupiter.api.Test;
@@ -287,6 +288,10 @@ void updateCertificatePolicyRunner(Consumer testRunner) {
testRunner.accept(testResourceNamer.randomName(TEST_CERTIFICATE_NAME, 25));
}
+ void platformManagedCertificatePolicyRunner(Consumer testRunner) {
+ testRunner.accept(testResourceNamer.randomName("platformManagedCert", 25));
+ }
+
@Test
public abstract void restoreCertificateFromMalformedBackup(HttpClient httpClient,
CertificateServiceVersion serviceVersion);
@@ -568,6 +573,12 @@ static CertificatePolicy setupPolicy() {
.setLifetimeActions(new LifetimeAction(CertificatePolicyAction.AUTO_RENEW).setDaysBeforeExpiry(40));
}
+ static CertificatePolicy setupPlatformManagedPolicy() {
+ return CertificatePolicy.getDefault()
+ .setPlatformManaged(
+ new PlatformManaged("serverAuth").setMetadata(Collections.singletonMap("source", "java-sdk-test")));
+ }
+
static void assertPolicy(CertificatePolicy expected, CertificatePolicy actual) {
assertEquals(expected.getKeyType(), actual.getKeyType());
assertEquals(expected.getContentType(), actual.getContentType());
@@ -583,6 +594,14 @@ static void assertPolicy(CertificatePolicy expected, CertificatePolicy actual) {
assertEquals(expected.getKeyUsage().size(), actual.getKeyUsage().size());
}
+ static void assertPlatformManagedPolicy(CertificatePolicy expected, CertificatePolicy actual) {
+ assertNotNull(actual);
+ assertNotNull(actual.getPlatformManaged());
+ assertEquals(expected.getPlatformManaged().getCertificateUsage(),
+ actual.getPlatformManaged().getCertificateUsage());
+ assertEquals(expected.getPlatformManaged().getMetadata(), actual.getPlatformManaged().getMetadata());
+ }
+
static void assertCertificate(KeyVaultCertificate expected, KeyVaultCertificate actual) {
assertEquals(expected.getId(), actual.getId());
assertEquals(expected.getKeyId(), actual.getKeyId());
@@ -644,6 +663,17 @@ static Stream getTestParameters() {
return argumentsList.stream();
}
+ static Stream getPlatformManagedTestParameters() {
+ List argumentsList = new ArrayList<>();
+
+ if (shouldServiceVersionBeTested(CertificateServiceVersion.V2026_03_01_PREVIEW)) {
+ getHttpClients().forEach(httpClient -> argumentsList
+ .add(Arguments.of(httpClient, CertificateServiceVersion.V2026_03_01_PREVIEW)));
+ }
+
+ return argumentsList.stream();
+ }
+
/**
* Returns whether the given service version match the rules of test framework.
*
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/models/CertificatePolicyTest.java b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/models/CertificatePolicyTest.java
new file mode 100644
index 000000000000..8abeb9fc4877
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/models/CertificatePolicyTest.java
@@ -0,0 +1,84 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.certificates.models;
+
+import com.azure.json.JsonProviders;
+import com.azure.json.JsonReader;
+import com.azure.json.JsonWriter;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Collections;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class CertificatePolicyTest {
+ @Test
+ void getAndSetPlatformManaged() {
+ CertificatePolicy policy = CertificatePolicy.getDefault();
+ PlatformManaged platformManaged = new PlatformManaged("serverAuth");
+
+ CertificatePolicy result = policy.setPlatformManaged(platformManaged);
+
+ assertSame(policy, result);
+ assertSame(platformManaged, policy.getPlatformManaged());
+ }
+
+ @Test
+ void platformManagedDefaultsToNull() {
+ assertNull(CertificatePolicy.getDefault().getPlatformManaged());
+ }
+
+ @Test
+ void jsonRoundTripPlatformManaged() throws IOException {
+ CertificatePolicy policy = CertificatePolicy.getDefault()
+ .setPlatformManaged(
+ new PlatformManaged("serverAuth").setMetadata(Collections.singletonMap("service", "contoso")));
+
+ CertificatePolicy deserialized = roundTrip(policy);
+
+ assertNotNull(deserialized);
+ assertNotNull(deserialized.getPlatformManaged());
+ assertEquals("serverAuth", deserialized.getPlatformManaged().getCertificateUsage());
+ assertEquals("contoso", deserialized.getPlatformManaged().getMetadata().get("service"));
+ }
+
+ @Test
+ void serializePlatformManagedUsesExpectedJsonFieldName() throws IOException {
+ CertificatePolicy policy = CertificatePolicy.getDefault().setPlatformManaged(new PlatformManaged("serverAuth"));
+
+ String json = toJsonString(policy);
+
+ assertTrue(json.contains("\"platformManaged\""));
+ assertTrue(json.contains("\"certificateUsage\""));
+ }
+
+ @Test
+ void nullPlatformManagedIsOmittedInSerialization() throws IOException {
+ String json = toJsonString(CertificatePolicy.getDefault());
+
+ assertFalse(json.contains("\"platformManaged\""));
+ }
+
+ private static CertificatePolicy roundTrip(CertificatePolicy original) throws IOException {
+ String json = toJsonString(original);
+ try (JsonReader reader = JsonProviders.createReader(json)) {
+ return CertificatePolicy.fromJson(reader);
+ }
+ }
+
+ private static String toJsonString(CertificatePolicy policy) throws IOException {
+ ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ try (JsonWriter writer = JsonProviders.createWriter(outputStream)) {
+ policy.toJson(writer);
+ }
+ return outputStream.toString("UTF-8");
+ }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/models/PlatformManagedTest.java b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/models/PlatformManagedTest.java
new file mode 100644
index 000000000000..ebd98977b8fa
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-certificates/src/test/java/com/azure/security/keyvault/certificates/models/PlatformManagedTest.java
@@ -0,0 +1,131 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.certificates.models;
+
+import com.azure.json.JsonProviders;
+import com.azure.json.JsonReader;
+import com.azure.json.JsonWriter;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class PlatformManagedTest {
+ @Test
+ void getAndSetProperties() {
+ PlatformManaged platformManaged = new PlatformManaged("serverAuth");
+ Map metadata = createMetadata();
+
+ PlatformManaged result = platformManaged.setCertificateUsage("clientAuth").setMetadata(metadata);
+
+ assertSame(platformManaged, result);
+ assertEquals("clientAuth", platformManaged.getCertificateUsage());
+ assertSame(metadata, platformManaged.getMetadata());
+ }
+
+ @Test
+ void constructorRequiresCertificateUsage() {
+ assertThrows(NullPointerException.class, () -> new PlatformManaged(null));
+ }
+
+ @Test
+ void setCertificateUsageRequiresNonNullValue() {
+ PlatformManaged platformManaged = new PlatformManaged("serverAuth");
+
+ assertThrows(NullPointerException.class, () -> platformManaged.setCertificateUsage(null));
+ }
+
+ @Test
+ void jsonRoundTripWithMetadata() throws IOException {
+ PlatformManaged original = new PlatformManaged("serverAuth").setMetadata(createMetadata());
+
+ PlatformManaged deserialized = roundTrip(original);
+
+ assertNotNull(deserialized);
+ assertEquals("serverAuth", deserialized.getCertificateUsage());
+ assertEquals("contoso", deserialized.getMetadata().get("service"));
+ assertEquals(3, ((Number) deserialized.getMetadata().get("revision")).intValue());
+ assertEquals(true, deserialized.getMetadata().get("enabled"));
+ assertEquals(Arrays.asList("alpha", "beta"), deserialized.getMetadata().get("labels"));
+ assertEquals("westus", ((Map) deserialized.getMetadata().get("details")).get("region"));
+ }
+
+ @Test
+ void jsonRoundTripWithoutMetadata() throws IOException {
+ PlatformManaged original = new PlatformManaged("serverAuth");
+
+ String json = toJsonString(original);
+ PlatformManaged deserialized;
+ try (JsonReader reader = JsonProviders.createReader(json)) {
+ deserialized = PlatformManaged.fromJson(reader);
+ }
+
+ assertNotNull(deserialized);
+ assertEquals("serverAuth", deserialized.getCertificateUsage());
+ assertFalse(json.contains("\"metadata\""));
+ }
+
+ @Test
+ void deserializeIgnoresUnknownFields() throws IOException {
+ String json = "{\"certificateUsage\":\"serverAuth\",\"unknownField\":\"ignored\"}";
+
+ PlatformManaged deserialized;
+ try (JsonReader reader = JsonProviders.createReader(json)) {
+ deserialized = PlatformManaged.fromJson(reader);
+ }
+
+ assertNotNull(deserialized);
+ assertEquals("serverAuth", deserialized.getCertificateUsage());
+ }
+
+ @Test
+ void serializeUsesExpectedJsonFieldNames() throws IOException {
+ PlatformManaged platformManaged = new PlatformManaged("serverAuth").setMetadata(createMetadata());
+
+ String json = toJsonString(platformManaged);
+
+ assertTrue(json.contains("\"certificateUsage\""));
+ assertTrue(json.contains("\"metadata\""));
+ assertTrue(json.contains("\"service\""));
+ }
+
+ private static PlatformManaged roundTrip(PlatformManaged original) throws IOException {
+ String json = toJsonString(original);
+ try (JsonReader reader = JsonProviders.createReader(json)) {
+ return PlatformManaged.fromJson(reader);
+ }
+ }
+
+ private static String toJsonString(PlatformManaged platformManaged) throws IOException {
+ ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ try (JsonWriter writer = JsonProviders.createWriter(outputStream)) {
+ platformManaged.toJson(writer);
+ }
+ return outputStream.toString("UTF-8");
+ }
+
+ private static Map createMetadata() {
+ Map metadata = new LinkedHashMap<>();
+ metadata.put("service", "contoso");
+ metadata.put("revision", 3);
+ metadata.put("enabled", true);
+ metadata.put("labels", Arrays.asList("alpha", "beta"));
+
+ Map details = new LinkedHashMap<>();
+ details.put("region", "westus");
+ metadata.put("details", details);
+
+ return metadata;
+ }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-certificates/tsp-location.yaml b/sdk/keyvault/azure-security-keyvault-certificates/tsp-location.yaml
index 94a2837d2b59..012b60c0808d 100644
--- a/sdk/keyvault/azure-security-keyvault-certificates/tsp-location.yaml
+++ b/sdk/keyvault/azure-security-keyvault-certificates/tsp-location.yaml
@@ -1,6 +1,6 @@
-directory: specification/keyvault/Security.KeyVault.Certificates
-commit: 35275d315efee7fa79b6661c29cb3f1c05e86b76
+directory: specification/keyvault/data-plane/Certificates
+commit: ea20c467080ed3d3875c8b5aeff28ce52f6a55ca
repo: Azure/azure-rest-api-specs
cleanup: true
-additionalDirectories:
-- specification/keyvault/Security.KeyVault.Common/
+additionalDirectories:
+- specification/keyvault/data-plane/Certificates/common