[Key Vault] Correctly return CertificateOperation when creating certificate with unknown issuer (#41879)

* Return CertificateOperation when issuer is unknown

* Update changelog

Author: mccoyp

sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md

@@ -8,6 +8,9 @@
 
 ### Bugs Fixed
 
+- When creating a certificate with an unknown issuer, `CertificateClient.(begin_)create_certificate` now returns a
+  `CertificateOperation` instead of `None`
+
 ### Other Changes
 
 ## 4.10.0 (2025-06-16)

sdk/keyvault/azure-keyvault-certificates/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/keyvault/azure-keyvault-certificates",
-  "Tag": "python/keyvault/azure-keyvault-certificates_d160d7cd76"
+  "Tag": "python/keyvault/azure-keyvault-certificates_d281d3c6c6"
 }

sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_polling.py

@@ -44,6 +44,8 @@ def run(self) -> None:
     def finished(self) -> bool:
         operation = self._pending_certificate_op
         if operation and operation.issuer_name and operation.issuer_name.lower() == "unknown":
+            # Because we've finished, self._resource won't be set by the run method; set it here so we don't return None
+            self._resource = self._pending_certificate_op
             return True
         return self._pending_certificate_op.status.lower() != "inprogress"  # type: ignore
 

sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/aio/_polling_async.py

@@ -45,6 +45,8 @@ async def run(self) -> None:
     def finished(self) -> bool:
         operation = self._pending_certificate_op
         if operation and operation.issuer_name and operation.issuer_name.lower() == "unknown":
+            # Because we've finished, self._resource won't be set by the run method; set it here so we don't return None
+            self._resource = self._pending_certificate_op
             return True
         return self._pending_certificate_op.status.lower() != "inprogress"  # type: ignore
 

sdk/keyvault/azure-keyvault-certificates/tests/test_certificates_client.py

@@ -16,6 +16,7 @@
     ApiVersion,
     CertificateClient,
     CertificateContact,
+    CertificateOperation,
     CertificatePolicyAction,
     CertificatePolicy,
     CertificateProperties,
@@ -758,6 +759,34 @@ def run(*_, **__):
             with pytest.raises(ResourceExistsError):
                 client.begin_create_certificate("...", CertificatePolicy.get_default())
 
+    @pytest.mark.parametrize("api_version", only_latest)
+    @CertificatesClientPreparer()
+    @recorded_by_proxy
+    def test_unknown_issuer_response(self, client, **kwargs):
+        """When a certificate is created with an unknown issuer, the poller result should be a CertificateOperation"""
+        cert_name = self.get_resource_name("unknownIssuer")
+
+        # create certificate with unknown issuer
+        cert_policy = CertificatePolicy(
+            issuer_name=WellKnownIssuerNames.unknown,
+            subject="CN=*.microsoft.com",
+            san_dns_names=["sdk.azure-int.net"],
+            exportable=True,
+            key_type="RSA",
+            key_size=2048,
+            reuse_key=False,
+            content_type=CertificateContentType.pkcs12,
+            validity_in_months=24,
+        )
+        create_certificate_poller = client.begin_create_certificate(
+            certificate_name=cert_name, policy=cert_policy
+        )
+        result = create_certificate_poller.result()
+        # The operation should indicate that certificate creation is in progress and requires a merge to complete
+        assert isinstance(result, CertificateOperation)
+        assert result.status and result.status.lower() == "inprogress"
+        assert result.status_details and "merge" in result.status_details.lower()
+
 
 def test_policy_expected_errors_for_create_cert():
     """Either a subject or subject alternative name property are required for creating a certificate"""

sdk/keyvault/azure-keyvault-certificates/tests/test_certificates_client_async.py

@@ -16,6 +16,7 @@
     AdministratorContact,
     ApiVersion,
     CertificateContact,
+    CertificateOperation,
     CertificatePolicyAction,
     CertificatePolicy,
     KeyType,
@@ -785,6 +786,32 @@ async def run(*_, **__):
                 await client.create_certificate("...", CertificatePolicy.get_default())
         await client.close()
 
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize("api_version", only_latest)
+    @AsyncCertificatesClientPreparer()
+    @recorded_by_proxy_async
+    async def test_unknown_issuer_response(self, client, **kwargs):
+        """When a certificate is created with an unknown issuer, the poller result should be a CertificateOperation"""
+        cert_name = self.get_resource_name("unknownIssuer")
+
+        # create certificate with unknown issuer
+        cert_policy = CertificatePolicy(
+            issuer_name=WellKnownIssuerNames.unknown,
+            subject="CN=*.microsoft.com",
+            san_dns_names=["sdk.azure-int.net"],
+            exportable=True,
+            key_type="RSA",
+            key_size=2048,
+            reuse_key=False,
+            content_type=CertificateContentType.pkcs12,
+            validity_in_months=24,
+        )
+        result = await client.create_certificate(certificate_name=cert_name, policy=cert_policy)
+        # The operation should indicate that certificate creation is in progress and requires a merge to complete
+        assert isinstance(result, CertificateOperation)
+        assert result.status and result.status.lower() == "inprogress"
+        assert result.status_details and "merge" in result.status_details.lower()
+
 
 @pytest.mark.asyncio
 async def test_policy_expected_errors_for_create_cert():