[KeyVault] Add URI and IP address Subject Alternative Names support (v4.11.0)

[rohitsinghal4u]

API Spec Changes

This SDK is regenerated based on the following API spec PR:

• Spec PR: KeyVault: Javascript and Python SDK fix to include URIs and IP addresses fields azure-rest-api-specs#41061 — Added uris and ipAddresses fields to SubjectAlternativeNames in KeyVault Certificates API version 2025-07-01 (stable GA)

This PR supersedes the auto-generated PR #45607, which had post-generation issues fixed manually (see below).

---

Description

Adds support for URI and IP address Subject Alternative Names (SANs) in the azure-keyvault-certificates package, corresponding to the new uris and ipAddresses fields added to the KeyVault Certificates REST API version 2025-07-01.

Changes Made

New fields in SubjectAlternativeNames (generated model):

• uris (list[str]) — Uniform Resource Identifiers as SANs
• ip_addresses (list[str]) — IPv4 and IPv6 addresses as SANs

New properties in CertificatePolicy (handwritten convenience layer):

• san_uris — get/set URI SANs on a certificate policy
• san_ip_addresses — get/set IP address SANs on a certificate policy

Client validation updated (CertificateClient sync and async):

• Policies with only san_uris or san_ip_addresses (no subject) are now accepted as valid

Tests updated:

• _validate_sans helper asserts new san_uris and san_ip_addresses fields

Post-Generation Fixes Applied to Auto-Generated PR #45607

The following issues flagged by Copilot code review on #45607 were corrected:

Issue	Fix
Generator named field uniform_resource_identifiers instead of uris	Renamed to uris (consistent with REST field name and existing SAN naming pattern)
CHANGELOG contained placeholder instruction text instead of release notes	Replaced with proper 4.11.0 (2026-03-11) release notes
tsp-location.yaml missing trailing slash on additionalDirectories path	Added trailing slash to match other Key Vault packages
_version.py bumped from 4.10.1 to 4.11.0	Correct — new feature warrants minor version bump per semver

Files Changed

File	Type	Change
_generated/models/_models.py	Generated	Added uris, ip_addresses to SubjectAlternativeNames
_models.py	Handwritten	Added san_uris, san_ip_addresses to CertificatePolicy
_client.py / aio/_client.py	Handwritten	Updated validation to accept new SAN fields
tests/test_certificates_client.py	Test	Updated _validate_sans assertions
tests/test_certificates_client_async.py	Test	Updated _validate_sans assertions
CHANGELOG.md	Release	Added 4.11.0 release notes
_version.py	Version	4.10.1 → 4.11.0
tsp-location.yaml	Config	Updated commit SHA to spec merge commit, fixed trailing slash
_metadata.json	Generated	New — API version metadata
apiview-properties.json	Generated	New — APIView tooling metadata

---

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[rohitsinghal4u]

cc @Azure/dpg-devs for awareness

[Copilot]

Pull request overview

Adds support in azure-keyvault-certificates for URI and IP address Subject Alternative Names (SANs) to align with the updated Key Vault Certificates REST API model, including convenience properties and client-side validation updates.

Changes:

• Regenerated the service model to add uris and ip_addresses to SubjectAlternativeNames.
• Added san_uris / san_ip_addresses convenience properties to CertificatePolicy and plumbed them through model conversion.
• Updated sync/async client validation, tests, versioning, and release notes for 4.11.0.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_generated/models/_models.py	Generated model updates including new SAN fields and related typing/docstring adjustments.
sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_models.py	Adds CertificatePolicy.san_uris and CertificatePolicy.san_ip_addresses and maps them to/from generated models.
sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_client.py	Updates policy validation to accept URI/IP SANs as satisfying “SAN or subject required”.
sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/aio/_client.py	Async equivalent validation update.
sdk/keyvault/azure-keyvault-certificates/tests/test_certificates_client.py	Updates SAN validation helper to include URI/IP SANs.
sdk/keyvault/azure-keyvault-certificates/tests/test_certificates_client_async.py	Async test helper update for URI/IP SANs.
sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_version.py	Bumps package version to 4.11.0.
sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_generated/_version.py	Updates generated client version string to 4.11.0.
sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md	Adds 4.11.0 release notes describing the new SAN support.
sdk/keyvault/azure-keyvault-certificates/tsp-location.yaml	Updates spec commit reference used for regeneration.
sdk/keyvault/azure-keyvault-certificates/_metadata.json	Adds API/spec metadata for the generated output.
sdk/keyvault/azure-keyvault-certificates/apiview-properties.json	Adds APIView metadata mappings for cross-language definitions.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

In this async test, the assertion for user principal names uses a comma instead of an equality comparison, so it never verifies that b.san_user_principal_names matches a.san_user_principal_names. This should compare the two sets (same pattern as the sync test).

Suggested change

	assert set(a.san_user_principal_names), set(b.san_user_principal_names)
	assert set(a.san_user_principal_names) == set(b.san_user_principal_names)

[Copilot]

This CHANGELOG update removes the top-level "(Unreleased)" section. Other Key Vault Python packages keep an Unreleased section at the top (e.g., azure-keyvault-secrets, azure-keyvault-keys) so new changes have a consistent place to go after release. Consider adding a new "4.11.1 (Unreleased)" section above 4.11.0.

[Copilot]

The _validate_sans helper now asserts san_uris/san_ip_addresses, but there don’t appear to be any tests in this package that actually create/read a CertificatePolicy with those fields set. Please add at least one test case that exercises the new SAN URI/IP paths (and the updated client-side validation) so these assertions meaningfully run.

Suggested change

	def test_validate_sans_with_uris_and_ip_addresses(self):
	# This test ensures that SAN URIs and IP addresses are exercised by _validate_sans.
	policy_a = CertificatePolicy(
	issuer_name=WellKnownIssuerNames.self_signed,
	subject="CN=example.com",
	san_uris=["urn:example:one", "https://example.com/service"],
	san_ip_addresses=["192.0.2.1", "2001:db8::1"],
	)
	policy_b = CertificatePolicy(
	issuer_name=WellKnownIssuerNames.self_signed,
	subject="CN=example.com",
	san_uris=["https://example.com/service", "urn:example:one"],
	san_ip_addresses=["2001:db8::1", "192.0.2.1"],
	)
	# _validate_sans should compare sets of SAN values, so ordering differences should not matter.
	self._validate_sans(policy_a, policy_b)

[github-actions]

API Change Check

APIView identified API level changes in this PR and created the following API reviews

azure-keyvault-certificates