Code Signing certificate setup in Azure Key vault

May 21, 2024

Code Signing certificate setup in Azure Key vault

Introduction

The following article provides step-by-step instructions for generating and importing a Certificate into Microsoft Azure Key Vault. Note: If this is not the solution you are looking for, please search for your solution in the search bar above.

Creating Key Vault:
 

  • Once logged into the Azure portal, if you do not have a Key Vault setup yet or would like to create a new one click on the “Create a resource”.

► Click on “Key Vault” icon under ‘Popular Azure services’, (Note: If it does not auto populate you can use the ‘Search services and marketplace’ box, type ‘key Vault’ and it will pop up). 
 

14.png

Click ‘create’.

Now you will want to name your Key Vault. Once named choose your subscription preferences (Free Trial or Pay-As-You-Go), Resource group (new or existing), ‘Key Vault name’ Region, Pricing tier.
 

  • Choose the settings in the Access configuration, Networking, and Tags tabs according to your use case.


15.jpg
 

  •  Click ‘Review + Create’ button and click ‘create’ at the bottom.
     

16.jpg

In a few seconds the Key Vault will be successfully created.
 


Generating CSR and Importing a Certificate into Microsoft Azure Key Vault

 

  • After you have created and selected your key vault, press the Certificates option on the right-side menu. Then, click Generate/Import button at the top, as shown below.​​​​​
     

18.jpg

 

  • On the ‘Create a certificate’ window, fill out the Certificate details.

     

 Note:

 a. Certificate Name is friendly name that it will be referred to within the vault, it is not the common name of the actual certificate.

 b. Select Type of Certificate Authority: “Certificate issued by a non-integrated CA”.

 c. In the subject field enter the Common Name in the format: CN=Common Name.
 

 

  • Set ‘Advanced Policy Configuration’ as shown below.
     

​​​
Note:-

a. As per the CAB Forum Guidelines for Code Signing Certificates, from June 2023, all Private Keys for Code Signing Certificates need to be stored in HSM’s which are FIPS 140 Level 2 or 3 compliant. Please make sure that RSA-HSM and EC-HSM option is enabled in your Key-Type and you should select RSA-HSM option as these keys are stored by Azure Key-vault in Managed HSM’s, which are FIPS 140 Level 2 or 3 compliant.

b. RSA and EC options are for Software protected keys and they are not compliant with the current guidelines of CAB forum. Please read more about the Keys here.
 

  •   Click ‘OK’ and ‘Create’. Now click on the newly created certificate request.
     

 

  • Click on ‘Certificate Operation’ and later ‘Download CSR’ to get a copy of your CSR.
     


 

  • You will need to submit the CSR to the GlobalSign Certificate Center (GCC) to download the certificate:
     

 

  • Now Download your Digital Certificate and Intermediate certificates:
     

 

  • Go back to Azure Key Vault and click on ‘Merge Signed Request’ to import the download Digital Certificate.
     

 

Related Articles: -

Code Signing using Azure Key Vault :: Code Signing using Azure Key Vault :: GlobalSign Support

 

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support