diff --git a/R/keys.R b/R/keys.R
index 379ce2d..d9a61b3 100644
--- a/R/keys.R
+++ b/R/keys.R
@@ -14,7 +14,7 @@
 #'        attributes=vault_object_attrs(), ...)
 #' get(name)
 #' delete(name, confirm=TRUE)
-#' list()
+#' list(include_managed=FALSE)
 #' backup(name)
 #' restore(backup)
 #' ```
@@ -29,6 +29,7 @@
 #' - `key`: For `import`, the key to import. This can be the name of a PEM file, a JSON web key (JWK) string, or a key object generated by the openssl package. See the examples below.
 #' - `hardware`: For `import`, whether to import this key as a hardware key (HSM). Only supported for a premium key vault.
 #' - `...`: For `create` and `import`, other named arguments which will be treated as tags.
+#' - `include_managed`: For `list`, whether to include keys that were created by Key Vault to support a managed certificate.
 #' - `backup`: For `restore`, a string representing the backup blob for a key.
 #'
 #' @section Value:
@@ -126,10 +127,12 @@ public=list(
             invisible(self$do_operation(name, http_verb="DELETE"))
     },
 
-    list=function()
+    list=function(include_managed=FALSE)
     {
-        sapply(get_vault_paged_list(self$do_operation(), self$token),
-            function(props) basename(props$kid))
+        objs <- get_vault_paged_list(self$do_operation(), self$token) 
+        lst <- lapply(objs, function(props)
+            if(!include_managed && isTRUE(props$managed)) NULL else basename(props$kid))
+        unlist(compact(lst))
     },
 
     backup=function(name)
diff --git a/R/secrets.R b/R/secrets.R
index 80109b1..539f7f9 100644
--- a/R/secrets.R
+++ b/R/secrets.R
@@ -10,7 +10,7 @@
 #' create(name, value, content_type=NULL, attributes=vault_object_attrs(), ...)
 #' get(name)
 #' delete(name, confirm=TRUE)
-#' list()
+#' list(include_managed=FALSE)
 #' backup(name)
 #' restore(backup)
 #' ```
@@ -20,6 +20,7 @@
 #' - `content_type`: For `create`, an optional content type of the secret, such as "application/octet-stream".
 #' - `attributes`: Optional attributes for the secret, such as the expiry date and activation date. A convenient way to provide this is via the [vault_object_attrs] helper function.
 #' - `...`: For `create`, other named arguments which will be treated as tags.
+#' - `include_managed`: For `list`, whether to include secrets that were created by Key Vault to support a managed certificate.
 #' - `backup`: For `restore`, a string representing the backup blob for a secret.
 #'
 #' @section Value:
@@ -92,10 +93,12 @@ public=list(
             invisible(self$do_operation(name, http_verb="DELETE"))
     },
 
-    list=function()
+    list=function(include_managed=FALSE)
     {
-        sapply(get_vault_paged_list(self$do_operation(), self$token),
-            function(props) basename(props$id))
+        objs <- get_vault_paged_list(self$do_operation(), self$token) 
+        lst <- lapply(objs, function(props)
+            if(!include_managed && isTRUE(props$managed)) NULL else basename(props$id))
+        unlist(compact(lst))
     },
 
     backup=function(name)
diff --git a/man/keys.Rd b/man/keys.Rd
index 2102b1b..a5f1370 100644
--- a/man/keys.Rd
+++ b/man/keys.Rd
@@ -16,7 +16,7 @@ import(name, key, hardware=FALSE,
        attributes=vault_object_attrs(), ...)
 get(name)
 delete(name, confirm=TRUE)
-list()
+list(include_managed=FALSE)
 backup(name)
 restore(backup)
 }
@@ -35,6 +35,7 @@ restore(backup)
 \item \code{key}: For \code{import}, the key to import. This can be the name of a PEM file, a JSON web key (JWK) string, or a key object generated by the openssl package. See the examples below.
 \item \code{hardware}: For \code{import}, whether to import this key as a hardware key (HSM). Only supported for a premium key vault.
 \item \code{...}: For \code{create} and \code{import}, other named arguments which will be treated as tags.
+\item \code{include_managed}: For \code{list}, whether to include keys that were created by Key Vault to support a managed certificate.
 \item \code{backup}: For \code{restore}, a string representing the backup blob for a key.
 }
 }
diff --git a/man/secrets.Rd b/man/secrets.Rd
index 5457d4b..89c0e73 100644
--- a/man/secrets.Rd
+++ b/man/secrets.Rd
@@ -12,7 +12,7 @@ This class represents the collection of secrets stored in a vault. It provides m
 This class provides the following methods:\preformatted{create(name, value, content_type=NULL, attributes=vault_object_attrs(), ...)
 get(name)
 delete(name, confirm=TRUE)
-list()
+list(include_managed=FALSE)
 backup(name)
 restore(backup)
 }
@@ -26,6 +26,7 @@ restore(backup)
 \item \code{content_type}: For \code{create}, an optional content type of the secret, such as "application/octet-stream".
 \item \code{attributes}: Optional attributes for the secret, such as the expiry date and activation date. A convenient way to provide this is via the \link{vault_object_attrs} helper function.
 \item \code{...}: For \code{create}, other named arguments which will be treated as tags.
+\item \code{include_managed}: For \code{list}, whether to include secrets that were created by Key Vault to support a managed certificate.
 \item \code{backup}: For \code{restore}, a string representing the backup blob for a secret.
 }
 }