Update tests to not require Azure CLI

Author: mccoyp

sdk/keyvault/.gitignore

@@ -2,4 +2,6 @@
 *.key
 *.pfx
 *security-domain.json
-*.pem
+*.pem
+!azure-keyvault-securitydomain/tests/resources/*.cer
+!azure-keyvault-securitydomain/tests/resources/*.pem

sdk/keyvault/azure-keyvault-securitydomain/tests/resources/certificate0.cer

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUL64HRUwrpwVMKzJX1XdEyodb/3kwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA4MjgwNzUwNTFaFw0yMTA4
+MjgwNzUwNTFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC8MyC1/rn0VCTvnvYOZylgELFeg+BuMWd6EofCcnwd
+//d2XZQcGIB8ZqYDP1HWGzzVlDHzOaWDT7i0CAXfx1Y6H77506z6FhvhoaL/L4xU
+TRtg2lztaLXScdjx/zSSjCcwJ4e9cltDZcjFERl+j3U+aeEY58EFMZjp/RQdPNYS
+HRzU7YISUrSlX4QZciZiFQSqDZd0cq181VmFyIGEgUx/4j3nynWVKE5+jC/N8RL+
+t0qxomnMSiebXj1OS1veB099LIv9cG1/14RQ1Yk5m4s/8dZPF0IvBtBh5He7wMUS
+5LifkGyZjcASWOXPZC3eO1ztfrvHZdxAlkjXHKetEYUDAgMBAAGjUzBRMB0GA1Ud
+DgQWBBSG1CSg9b3N8Vgxy9TC4g5Nl+PRsTAfBgNVHSMEGDAWgBSG1CSg9b3N8Vgx
+y9TC4g5Nl+PRsTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCh
+IfFOwwmyUzOqbghjJUcdMnGNQGCujd9BOdh8XBRrRF4WKv9YBrBNEn07UYh7WRTt
+Nn/5PFzdtJJ1GY08gGJ0iQd0n10YF9eP+eUag93k3P5RGxs5LsyxTlSWUyhqCCn9
+TLE4FIPGVvhBsKTs5GcsQi6D1gDwmmDxwLO/f2oDEnm+2sxYwSYdOjImfZXD1oje
+iOJ35Ue9K+9gH23ASndMx5ZmMqLn+W1eZfDGZAyjNGhZXyKGG3u0rF1YU90AmG9K
+xsSSrObS4IzBhdWNi9SU7ZHi+ip2211AKY9bMyLhcL8FiHY/R/Ag7WXU4IHY8sIf
+P+0eCLYIj959Y2T7MN+l
+-----END CERTIFICATE-----

sdk/keyvault/azure-keyvault-securitydomain/tests/resources/certificate0.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC8MyC1/rn0VCTv
+nvYOZylgELFeg+BuMWd6EofCcnwd//d2XZQcGIB8ZqYDP1HWGzzVlDHzOaWDT7i0
+CAXfx1Y6H77506z6FhvhoaL/L4xUTRtg2lztaLXScdjx/zSSjCcwJ4e9cltDZcjF
+ERl+j3U+aeEY58EFMZjp/RQdPNYSHRzU7YISUrSlX4QZciZiFQSqDZd0cq181VmF
+yIGEgUx/4j3nynWVKE5+jC/N8RL+t0qxomnMSiebXj1OS1veB099LIv9cG1/14RQ
+1Yk5m4s/8dZPF0IvBtBh5He7wMUS5LifkGyZjcASWOXPZC3eO1ztfrvHZdxAlkjX
+HKetEYUDAgMBAAECggEBAIOLeSG8ml2dMvQKOBJ5KQJsqI1XwFdFUP6SVTIks3yE
+nYOuhQfeWHCbjw5WA+2TvEHNA9zuPjI6Vu//a5uuySZ3ahVVT2K+cV6UjEmyAnQq
+MSjReIK43d3qlakQqL6GGB4gg1B3zjKdwmd8PEWqIFkvyJaP5uqqcCedLaICE980
+Jl5LrDtilz4PyrKKWv9OY6k49BEgo361x9IBG891H1yi+395IiZwO7DwjyxlHlub
+Lmt/Z0/iur1h16ZcIZJ1E5KtvYjPng2dldF2mDAZg3MW9jVJiiQ6S63yR9hYhJyS
+f1y5E/csjpj7fxLQ0IPd8URbjt67Y4g95lODwSxtW4ECgYEA7S8JEddpVBRkweh+
+BILCL8A5B6N++ixJGmtUAHqM52jZ6s7NM+lgk0kkO6wdToeJr/jjgsIgXq7oYQzG
+sm3hP7/Hl1VidmZ8F1AaAtZ1jSYMTOSgmOzrDdGvSlec/wqljMfqBEB7CVlaBsfb
+xYVhO2S7pZS3z3KWap1IY1/rZF0CgYEAyyFGpgT//CXRqtcmqqA7ejPL/jCDGVe9
+HvWQxZ5KsEeSm1UkDeaxRppJ/5gw4SoMMif+A9X6J+IyUpkJOPWzN3ymOoswWjAu
+yaTVC1AA9EjIPt0B+b7oywMHuKSbbhtuftNPlIS0nXnmgT2hbPh4MOaq1jUgT9jP
+l0+AR0BH+N8CgYEA3Eshe2a9t5AxfUC5OutP/RXmYkfiue3EADvLi55HnO9v530o
+bpzGTEZU1u+nULbmlYDvnxU7B3Yg83LwYe1YluNDODXf++R4QRbu8c/K4syCBDEd
+UKxMLUuiKcRyVxfGZ5mOq2BQZoCM81tRroWRp56KAuK8Tns5ZdCr2VDPyykCgYEA
+vQ7yl3DN5Jw6ghyP030g/oMZGTODwWGlFxyNqzDB6UIkVMiwrvOJCeJufyLiU590
+DHameGF+3AIuvivLpqUgMcOlX5XO4hI4adstosLKsJLRNZkzzoP+XX0rgZJLS/bi
+J857IgtFo9AiVyXKigbUrwbx+D8oHMj5paYMCcTtd9cCgYEAheyWHEr0dawGSa+J
+f1FnDBF+POBvxWTTZF/PVY3xlvedRl1Z7Q8ochX/H0X07sMbrWEf38h2WPY/Eq4P
+VmuxONhGvXTxAg8iPqDb4Kv3m8UTDVV5wuJELQ5t5axhIaHjAMqlEOrNnM78PcSh
+5LbSznYcYXpicjzzDUhIrFSCPwA=
+-----END PRIVATE KEY-----

sdk/keyvault/azure-keyvault-securitydomain/tests/resources/certificate1.cer

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUUVhLOoCiGJOnb6jGT1yOPYdzHcEwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA4MjgwNzUxMzlaFw0yMTA4
+MjgwNzUxMzlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC5KAwMbiaEjW9vmo3TnDvR6gNc2NRoLmQSzdwawsbJ
+QVo2GYjx/KJQL3Utk6UlEuPaM/3itrF3bhMmD9esIrE4gUjZWOtfh5ZwVObmj7sH
+sqFrJss+ikMr4maIsjjD4fwzF+O90ZRUjvijun5YmW8SRJaaYMeGNHpVKWfJjvG9
+zfgo2BV+yadUc5hbbcVH0Y4x4MTQplTlKm5h4fqHFxvcJGIx3vf3byPW9NJTrLEH
+wSq3oYH6ToelREHbDI9gz7Ntn2NvRFW06Kl19KBXTTqivE069Q+ugiZmgL+Lt0y9
+MU5F8vUOEhlB3/n1hqEk2DzL2Qzyq7MkeszkIeU3MdZVAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQlCko1w7dZ6u3HgBpu+aRKHyDOcjAfBgNVHSMEGDAWgBQlCko1w7dZ6u3H
+gBpu+aRKHyDOcjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9
+zvN23q+TT4p6qF59jT3Hn2IRkIlj+WHSkdeB4zS0X0Bs2PP047AloePuVADHrYxW
+Rq4lDMaRrM6L9+h7mtGd4UqwRhBbgFnodeC7LqxSN0nv4uaWTl2HkUlFSe6naJnp
+QyqyZ68JndIzqdy9tvFYlqOpNUGFL4NVL1rxkyYqr1xwQS1YuQ70qmQICzSOgKRT
+N/8uQyUYUPPiSmaXuqF6tAKgAaJ6jmi/sKNg2kDjUZvYrLBDhLoUHmnRC47uxSOw
+JjaUXjbfgAvou5LyG9Ie26fos6hH5XSaD3VpdmTq2hNofVJahtJ02lvvcJgENROv
+AAkPC/IzaLj19DnZGl3g
+-----END CERTIFICATE-----

sdk/keyvault/azure-keyvault-securitydomain/tests/resources/certificate1.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5KAwMbiaEjW9v
+mo3TnDvR6gNc2NRoLmQSzdwawsbJQVo2GYjx/KJQL3Utk6UlEuPaM/3itrF3bhMm
+D9esIrE4gUjZWOtfh5ZwVObmj7sHsqFrJss+ikMr4maIsjjD4fwzF+O90ZRUjvij
+un5YmW8SRJaaYMeGNHpVKWfJjvG9zfgo2BV+yadUc5hbbcVH0Y4x4MTQplTlKm5h
+4fqHFxvcJGIx3vf3byPW9NJTrLEHwSq3oYH6ToelREHbDI9gz7Ntn2NvRFW06Kl1
+9KBXTTqivE069Q+ugiZmgL+Lt0y9MU5F8vUOEhlB3/n1hqEk2DzL2Qzyq7Mkeszk
+IeU3MdZVAgMBAAECggEAZ+ikkllCvoLNNfmrfEUigRRuHK4Gzgyy1qa2zkHe41UM
+tm2wH/WidZOclB5WwK6QNoWVBqV2hMq+bk7Xv1+cy1QquOcg+HSUJahQCLZCxPgn
+hIW56/gV6EvfNPmnx65MJbRTd9RlBOtTeDcR7tD0t3DMgAiuEI/k02QwPbo9ykEX
+hYL2RrW/VU2tepJ9o4hc37T964Pgo+oqNl3zzVPDC8UL0pImhavHLMkgosiQD3RR
+UXRImYQTpg0ZmjR4TnUNWRCLevMMgxgu/dTeYvP1xf3uDAkfVPw1dU4/zIr64cvZ
+17i2Dbdu0h8jiao1TzMQRzBgCgEZYE8DZvmp8XXOIQKBgQDenQgHMe6G2p0vfmO/
+OQ3iqThHY0ZzdtjBESFvtwG0oGaG82DZAyz0e8+pXhON3Xx3orOemISzdGtY9Stw
+f+de99cEHgxGq0AHMPr0cIZUGnCcMq1VCh8jJk85gqZBjOkh9HMCP30F/5dIRa4o
+UCyuKI6wQoG7oHofqUtBDomkyQKBgQDU7Oa6SEoq1TGmN+wrK72pCp5UiaucE/kj
+fnQdZhz1snH7oIKxfNljjIHCbMnOZKS1C9Pj8LJQr3CGkKByde3g+IP0L1McaGg2
+we5YYj1iSlJNwUu/6t1uR1gKzuuO+SLDUoFVzZcuNoq5RKtwElSfzsEUIuLFtBjR
+U7jEcptnLQKBgQCbdMGUdLQDjErUTcjOUsN1k4Jvp84c99OqD5Jv9zbDsnemqfLp
+2SPdn1CHD+FL4m33BbG1gQC6aQRF3P/20fr7AMwwXeNovlI6M2Qsqx/DP6uACIuu
+pSDVZP1SRgBgKkzrn09pNHjUZYZ5u99A26w3+q6aO/do1UozLgAVcFeCsQKBgQCj
+o5nDKpGNj6GDrFDd8NTnGFkMgW2ZGySK6cFVYsf47/Z3uykWPOxZfH+xK6iA7YpD
+9d4XvUFdjyd806Prs8Ro9LV8se4+0+LbynliBcZFRvcv+NE9osQg38XDMLmKfOAB
+muP5THLWumYs8qCLFhthYiWzUwhThxDXt2810xqp1QKBgGcqCaMdIQwZTvc+bAXA
+lJ9m/REjYdYqnb3wlCN/YpUWXiaOPOoIqsGgkx3aiwcJzTY6Gyq9G81NMs+qNB8q
+QWml4Tp9S26GQ4vv06x6MEJpQJQuIl9/k6Zz+Fu4lIXTcqMIVPLyDupjxJziipxE
+H49fDakx4elXpxc0T9icBNJo
+-----END PRIVATE KEY-----

sdk/keyvault/azure-keyvault-securitydomain/tests/resources/certificate2.cer

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUSe4eg3V7VCvSFWhi8a0Gie3DcRowDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA4MjgwNzUxNDdaFw0yMTA4
+MjgwNzUxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDJAdv6EoFTJdfENOgN5PDzHhKM/Ugf3Pkg6YVRjrY0
+pFRssA+cxwVC8FzRoGqIqaif8+oD7W7QCb1iF9kBKoohI2a4Fimv59+YkuZPZgJf
+A2SYwP6B8KgrpcERcnlADtgZOcopo9uGN9TxBDJOnUx5wCBsktERxh6/1LrAW9ft
+xa/c6OsOraBgoeOb3CxyQ3DjSwbAMM0xkc17RNoTPNnz+0LoeK6ON+pDXprOrb+Z
+/WkcHYE11/OrROxGEPGdm/dXsieIEaT31U0fwGg/fuuaEpF9nCF6fy4tqcoAOPHE
+TJ8tXXuS5thGa4AfvA7hpMl+jTAhbn3jtJkkuXE5a4lJAgMBAAGjUzBRMB0GA1Ud
+DgQWBBSCf/tSyM12qLYIXBqX8nUZQMro+DAfBgNVHSMEGDAWgBSCf/tSyM12qLYI
+XBqX8nUZQMro+DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDE
+aWDU8kD3o6EJPJCTpBYff3Ir/aNkY4SZs6pXRKSyb8OWRGG7M1l6RBf6+puOJ+6N
+C4VY6qjTk5wmQFxynAha6qsWgbVaHE9RMBdmfwoL9hi9neVbHd2IaIIplXOclahT
+/C4SY1afbU5BhVnut4xQa7Mty7vMdjdxIgIgO121ER2bEPld8Al+epbk91vLBT87
+IpTtj+yURE+eT/ZcFnE1eAJQvF2kdstz4b6/Bi5giwoUynQZELXsQnoHwd6nPoI/
+oEw9A22+pAenIE+AlzJAVaZFuZxTDj/lCvjx00fL8HbN78KjtY0qfiIbf7PXrpS8
+yYsq00OgM+quZ77UgoUR
+-----END CERTIFICATE-----

sdk/keyvault/azure-keyvault-securitydomain/tests/resources/certificate2.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJAdv6EoFTJdfE
+NOgN5PDzHhKM/Ugf3Pkg6YVRjrY0pFRssA+cxwVC8FzRoGqIqaif8+oD7W7QCb1i
+F9kBKoohI2a4Fimv59+YkuZPZgJfA2SYwP6B8KgrpcERcnlADtgZOcopo9uGN9Tx
+BDJOnUx5wCBsktERxh6/1LrAW9ftxa/c6OsOraBgoeOb3CxyQ3DjSwbAMM0xkc17
+RNoTPNnz+0LoeK6ON+pDXprOrb+Z/WkcHYE11/OrROxGEPGdm/dXsieIEaT31U0f
+wGg/fuuaEpF9nCF6fy4tqcoAOPHETJ8tXXuS5thGa4AfvA7hpMl+jTAhbn3jtJkk
+uXE5a4lJAgMBAAECggEATGwli6V/f/JyX4nR9H5n0bdMTEh8JIkqOwYuBv0gb1FP
+O+eQeAX/DR0/3P+FoaIHl5DwF0AtknExjNsOSXA4BjNkeXcLsHKTQ3oOkH9zRVaP
+57fwy8yI09d4WT7RtLYwGR8sqro+23/cuSnkSplpmxyd90m2rXBK/ppNypbguOh0
+hJQrE8+ra3TBltQkjaa/RrFiFAAz7tYlDzMUkdfjjcLtx17czPB8F/y1Yfw/xWT4
+8W3bYQC2q0CnrdVeA6zruGbUTSEUlpDKV0EzL2TMafyUt5wm2zZfsggjWGz3TQ7y
+ocMPjZL1spktUWBnebHBBAEZkqwqOKhxozxSypWfAQKBgQDx3gHXlJKd9RCvtyEx
+M4PfGiwtmgfiZHMdF8ecX36r6MzGN2Hb7ENqxt2856p9qenWrcjpzBD98CAYePPz
+u4s7oTNKpf5D+IAqMJgBEi/LFCUl9pbhdJwXZzruw5SuXlEquZQzxJCDYUIB90BV
+B3sYOiZImBtmv14q2NNxUlC94QKBgQDUwKUO5RpJs18DYiYyt5bdO/KMcuoxxj7m
+QJOMabFSp2edqIYz4Q5D3wDY+/clmv/Kdju4RW/MNrUOVoyu4o8m8MEfpQsm+Q0b
+CxEokhvKDvardhRw0j89CCCde9MAxUBjF48IiBE8Rc04zV11wR9cE6ZvAL5FYJQC
+xVv/W/KoaQKBgQDFC6lUiKYqKc0+WmOgQefdiuUTAboKputheE4XB3WbeD3b/qKr
+GQCTrRBZJiOv3Q206EAWuTneqBJ93YxhtRjpq5qt5i4QEhPYS16LANYPDIp3Mz4Y
+z3ebWW6Ztp0asZxOwoIK6skRP9sW3uh6XW3bfwRRgBpSyvVc0ujwGa/OAQKBgQDO
+hds0ZE1qccavwB0YaoL2a3T9xad1fd4dIV6ZlRffBkZdEvSDc9qnI9jsyVqWlKnt
+XWyHalAmSozjSDz0n1UbFeZC07HJuUVxlQKpAXwcXv4wX0VkZ5OfqT4P4d1oCBKC
+nqHoRD2G5rNainBJGJlahnCvnGcXbbMAJZkyf41E0QKBgQCTswh3SyW79OInegDq
+FNolH/nfQxC8T6SSHKHaHkywVufPLOL95kv0WM9VGDCZ0RqNX7IAaUk7+M1/reUc
+Qc4Uwrg7n2fOe4FLlzGc30DpGvKNQ5VkZOhvWZ3PRxmuiWr5ruJ8ejxnu7+va7qk
+ASlG077d/GyDPQ4YtFcRAzslIw==
+-----END PRIVATE KEY-----

sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain.py

@@ -11,7 +11,7 @@
 
 from _shared.test_case import KeyVaultTestCase
 from _test_case import ClientPreparer
-from utils import get_certificate_info, write_security_domain, write_transfer_key
+from utils import get_certificate_info, use_wrapping_keys, write_security_domain, write_transfer_key
 
 
 class TestSecurityDomain(KeyVaultTestCase):
@@ -20,9 +20,13 @@ class TestSecurityDomain(KeyVaultTestCase):
     def test_security_domain_download_and_upload(
         self, client: SecurityDomainClient, upload_client: SecurityDomainClient, **kwargs
     ):
-        # Before running this test, create security domain certificates
-        # 1. Create private keys: `openssl genrsa -pubout -out <>-certificate[0-2].key 2048`
-        # 2. Create certificates: `openssl req -new -x509 -days 365 -key <>-certificate[0-2].key -out <>-certificate[0-2].cer`
+        """Test downloading a security domain and uploading it to another Managed HSM.
+
+        This test requires two Managed HSMs to be set up, one for downloading and one for uploading. The URL of the
+        first Managed HSM is specified in the environment variable AZURE_MANAGEDHSM_URL, and the second is specified
+        in SECONDARY_MANAGEDHSM_URL.
+        """
+        # Load the certificate{x}.cer files from /resources and use them to download the security domain.
         certs_object = get_certificate_info()
         poller = client.begin_download(certificate_info=certs_object, skip_activation_polling=True)
         result = poller.result()
@@ -31,14 +35,16 @@ def test_security_domain_download_and_upload(
         assert status.status.lower() == "inprogress"
         assert result.value
 
+        # Get the transfer key of the secondary HSM, and write it and the security domain to files.
         jwk = str(upload_client.get_transfer_key().transfer_key)
         transfer_key = json.loads(jwk)
         write_transfer_key(transfer_key)
         write_security_domain(result.value)
+        # Wrap the security domain using the certificate{x}.pem keys.
+        wrapped_security_domain = use_wrapping_keys()
 
-        # At this point, use the Azure CLI to encrypt the security domain to prepare for upload
-        # `az keyvault security-domain restore-blob --sd-exchange-key <>-transfer-key.pem --sd-file <>-security-domain.json --sd-wrapping-keys <>-certificate0.key <>-certificate1.key <>-certificate2.key --sd-file-restore-blob <>-restore-blob.json`
-        poller = upload_client.begin_upload(security_domain=result)
+        # Upload the wrapped security domain to the secondary HSM.
+        poller = upload_client.begin_upload(security_domain=wrapped_security_domain)
         result = poller.result()
         assert result is None
         status = upload_client.get_upload_status()

sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain_async.py

@@ -11,7 +11,7 @@
 
 from _shared.async_test_case import KeyVaultTestCase
 from _async_test_case import ClientPreparer
-from utils import get_certificate_info, write_security_domain, write_transfer_key
+from utils import get_certificate_info, use_wrapping_keys, write_security_domain, write_transfer_key
 
 
 class TestSecurityDomain(KeyVaultTestCase):
@@ -21,9 +21,13 @@ class TestSecurityDomain(KeyVaultTestCase):
     async def test_security_domain_download_and_upload(
         self, client: SecurityDomainClient, upload_client: SecurityDomainClient, **kwargs
     ):
-        # Before running this test, create security domain certificates
-        # 1. Create private keys: `openssl genrsa -pubout -out <>-certificate[0-2].key 2048`
-        # 2. Create certificates: `openssl req -new -x509 -days 365 -key <>-certificate[0-2].key -out <>-certificate[0-2].cer`
+        """Test downloading a security domain and uploading it to another Managed HSM.
+
+        This test requires two Managed HSMs to be set up, one for downloading and one for uploading. The URL of the
+        first Managed HSM is specified in the environment variable AZURE_MANAGEDHSM_URL, and the second is specified
+        in SECONDARY_MANAGEDHSM_URL.
+        """
+        # Load the certificate{x}.cer files from /resources and use them to download the security domain.
         certs_object = get_certificate_info()
         poller = await client.begin_download(certificate_info=certs_object, skip_activation_polling=True)
         result = await poller.result()
@@ -32,15 +36,17 @@ async def test_security_domain_download_and_upload(
         assert status.status.lower() == "inprogress"
         assert result.value
 
+        # Get the transfer key of the secondary HSM, and write it and the security domain to files.
         key = await upload_client.get_transfer_key()
         jwk = str(key.transfer_key)
         transfer_key = json.loads(jwk)
         write_transfer_key(transfer_key)
         write_security_domain(result.value)
+        # Wrap the security domain using the certificate{x}.pem keys.
+        wrapped_security_domain = use_wrapping_keys()
 
-        # At this point, use the Azure CLI to encrypt the security domain to prepare for upload
-        # `az keyvault security-domain restore-blob --sd-exchange-key <>-transfer-key.pem --sd-file <>-security-domain.json --sd-wrapping-keys <>-certificate0.key <>-certificate1.key <>-certificate2.key --sd-file-restore-blob <>-restore-blob.json`
-        poller = await upload_client.begin_upload(security_domain=result)
+        # Upload the wrapped security domain to the secondary HSM.
+        poller = await upload_client.begin_upload(security_domain=wrapped_security_domain)
         result = await poller.result()
         assert result is None
         status = await upload_client.get_upload_status()