Jun 3, 2024

Code Signing certificate setup in Azure Key vault

Introduction

The following article provides step-by-step instructions for generating and importing a Certificate into Microsoft Azure Key Vault. Note: If this is not the solution you are looking for, please search for your solution in the search bar above.

Creating Key Vault:
 

• Once logged into the Azure portal, if you do not have a Key Vault setup yet or would like to create a new one click on the “Create a resource”.

► Click on “Key Vault” icon under ‘Popular Azure services’, (Note: If it does not auto populate you can use the ‘Search services and marketplace’ box, type ‘key Vault’ and it will pop up). 
 

► Click ‘create’.

Now you will want to name your Key Vault. Once named choose your subscription preferences (Free Trial or Pay-As-You-Go), Resource group (new or existing), ‘Key Vault name’ Region, Pricing tier.
 

• Choose the settings in the Access configuration, Networking, and Tags tabs according to your use case.

 

•  Click ‘Review + Create’ button and click ‘create’ at the bottom.
   

In a few seconds the Key Vault will be successfully created.
 

Generating CSR and Importing a Certificate into Microsoft Azure Key Vault

 

• After you have created and selected your key vault, press the Certificates option on the right-side menu. Then, click Generate/Import button at the top, as shown below.​​​​​
   

 

• On the ‘Create a certificate’ window, fill out the Certificate details.
  
   

 Note:

 a. Certificate Name is friendly name that it will be referred to within the vault, it is not the common name of the actual certificate.

 b. Select Type of Certificate Authority: “Certificate issued by a non-integrated CA”.

 c. In the subject field enter the Common Name in the format: CN=Common Name.
 

 

• Set ‘Advanced Policy Configuration’ as shown below.
   

​​​
Note:-

a. As per the CAB Forum Guidelines for Code Signing Certificates, from June 2023, all Private Keys for Code Signing Certificates need to be stored in HSM’s which are FIPS 140 Level 2 or 3 compliant. Please make sure that RSA-HSM and EC-HSM option is enabled in your Key-Type and you should select RSA-HSM option as these keys are stored by Azure Key-vault in Managed HSM’s, which are FIPS 140 Level 2 or 3 compliant.

b. RSA and EC options are for Software protected keys and they are not compliant with the current guidelines of CAB forum. Please read more about the Keys here.
 

•   Click ‘OK’ and ‘Create’. Now click on the newly created certificate request.
   

 

• Click on ‘Certificate Operation’ and later ‘Download CSR’ to get a copy of your CSR.
   

 

• You will need to submit the CSR to the GlobalSign Certificate Center (GCC) to download the certificate:
   

 

• Now Download your Digital Certificate and Intermediate certificates:
   

 

• Go back to Azure Key Vault and click on ‘Merge Signed Request’ to import the download Digital Certificate.
   

 

Related Articles: -

Code Signing using Azure Key Vault :: Code Signing using Azure Key Vault :: GlobalSign Support