[KeyVault] Support certificate backup/restore

src/azure-cli/azure/cli/command_modules/keyvault/_params.py

@@ -291,12 +291,24 @@ class CLIJsonWebKeyOperation(str, Enum):
     with self.argument_context('keyvault certificate set-attributes') as c:
         c.attributes_argument('certificate', CertificateAttributes, ignore=['expires', 'not_before'])
 
+    with self.argument_context('keyvault certificate backup') as c:
+        c.argument('file_path', options_list=['--file', '-f'], type=file_type, completer=FilesCompleter(),
+                   help='Local file path in which to store certificate backup.')
+
+    with self.argument_context('keyvault certificate restore') as c:
+        c.argument('file_path', options_list=['--file', '-f'], type=file_type, completer=FilesCompleter(),
+                   help='Local certificate backup from which to restore certificate.')
+
     for item in ['create', 'set-attributes', 'import']:
         with self.argument_context('keyvault certificate ' + item) as c:
-            c.argument('certificate_policy', options_list=['--policy', '-p'], help='JSON encoded policy defintion. Use @{file} to load from a file(e.g. @my_policy.json).', type=get_json_object)
+            c.argument('certificate_policy', options_list=['--policy', '-p'],
+                       help='JSON encoded policy defintion. Use @{file} to load from a file(e.g. @my_policy.json).',
+                       type=get_json_object)
 
     with self.argument_context('keyvault certificate import') as c:
-        c.argument('certificate_data', options_list=['--file', '-f'], completer=FilesCompleter(), help='PKCS12 file or PEM file containing the certificate and private key.', type=certificate_type)
+        c.argument('certificate_data', options_list=['--file', '-f'], completer=FilesCompleter(),
+                   help='PKCS12 file or PEM file containing the certificate and private key.',
+                   type=certificate_type)
         c.argument('password', help="If the private key in certificate is encrypted, the password used for encryption.")
         c.extra('disabled', arg_type=get_three_state_flag(), help='Import the certificate in disabled state.')
 

src/azure-cli/azure/cli/command_modules/keyvault/commands.py

@@ -170,6 +170,13 @@ def load_command_table(self, _):
         g.keyvault_custom('add', 'add_certificate_issuer_admin')
         g.keyvault_custom('delete', 'delete_certificate_issuer_admin')
 
+    if data_api_version != '2016_10_01':
+        with self.command_group('keyvault certificate', kv_data_sdk) as g:
+            g.keyvault_custom('backup', 'backup_certificate',
+                              doc_string_source=data_doc_string.format('backup_certificate'))
+            g.keyvault_custom('restore', 'restore_certificate',
+                              doc_string_source=data_doc_string.format('restore_certificate'))
+
     if data_api_version != '2016_10_01':
         with self.command_group('keyvault storage', kv_data_sdk) as g:
             g.keyvault_command('add', 'set_storage_account')

src/azure-cli/azure/cli/command_modules/keyvault/custom.py

@@ -1020,6 +1020,19 @@ def download_certificate(client, file_path, vault_base_url=None, certificate_nam
         raise ex
 
 
+def backup_certificate(client, file_path, vault_base_url=None,
+                       certificate_name=None, identifier=None):  # pylint: disable=unused-argument
+    cert = client.backup_certificate(vault_base_url, certificate_name).value
+    with open(file_path, 'wb') as output:
+        output.write(cert)
+
+
+def restore_certificate(client, vault_base_url, file_path):
+    with open(file_path, 'rb') as file_in:
+        data = file_in.read()
+    return client.restore_certificate(vault_base_url, data)
+
+
 def add_certificate_contact(cmd, client, vault_base_url, contact_email, contact_name=None,
                             contact_phone=None):
     """ Add a contact to the specified vault to receive notifications of certificate operations. """