How to Create CSR and Import Code Signing Certificate in Azure KeyVault HSM?

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Code Signing with Azure Key Vault

Ensuring the security of your data in today’s vicious cyberspace requires encrypted connections, generating certificates, and securing your private keys. Microsoft Azure KeyVault is an effective and trustworthy solution to these important security requirements.

Azure Key Vault protects your keys using HSMs verified to FIPS 140-2 Level 2 and Level 3 standards. This compliance ensures that your assets are secured within the hardware, offering reliable security and confidence.

This tutorial will use Microsoft Azure KeyVault for secure key management.

We will guide you through importing certificates into Microsoft Azure KeyVault, creating Certificate Signing Requests (CSRs), and generating private keys. Moreover, we will discuss how you can leverage KeyVault’s ability to guarantee the highest integrity and confidentiality for your confidential information, focusing on cloud Hardware Security Modules (HSM).

To protect your data and strengthen your security posture in the constantly changing cyber landscape, let’s explore secure key management on Microsoft Azure KeyVault.

Important Note: Legitimate certificates like DigiCert Code Signing and DigiCert EV Code Signing support the Azure Vault Standard and Premium levels! For Cloud HSM, a Premium Subscription is a must.

Steps to Create a Certificate Signing Request (CSR) in Microsoft Azure Cloud HSM

Use Microsoft Azure KeyVault to create a Certificate Signing Request (CSR) by carrying out the following steps: 

 1. Go into your Azure Portal and select the “Create a resource” option to set up the Azure Key Vault.

 2. To start your vault, search for “Key Vault” and click “Create“. 

Create Key Vault

 3. Create your Key Vault by choosing the settings that best suit your application. 

 Note: Choose the “Premium” price category to comply with the FIPS 140-2 standard. If you decide against selecting “Premium,” there’s a chance your certificate may be canceled.

Review Key Vault

4. After creating your vault, Please select “Certificates” from the action bar on the left. To get started creating your Code Signing CSR, select “Generate/Import“.

Generate Import CSR

 5. Enter the subject name and certificate name. The company name needs to appear as a subject name, and the name of the company should be the subject line. Ensure that the subject name is defined using CN=.

6. After selecting Advanced Policy Configuration, change the Type of Certificate Authority to non-integrated CA.

Advanced Policy Configuration

Add to the Extended Key Usages (EKUs) field

 This EKU recognizes the certificate as a Code Signing certificate. 

 Additionally, you’ll be required to select RSA-HSM as the “Key Type” and “Exportable Private Key” as No

Note: Every code DigiCert signing certificate must be issued with a minimum key size of 4096 bits.

7. Click “Okay” and “Create” after completing the policy configuration. 

 8. The certificate will appear as an “In progress” certificate under the Certificates tab. 

In Progress Certificate

 9. In progress, click the certificate you have. Click “Download CSR” after selecting “Certificate Operation.” 

Download CSR Azure

 10. Save the CSR file in a secure location of your preference.

 11. Navigate to the order enrollment page and go to the “Input CSR” section.

Order Enrollment Forum Enter CSR

12. Copy your CSR into the specified box, fill in the other necessary fields, and send the order.

13. When the validation process is completed, you will receive an email from CA regarding the Private Key Protection Agreement.

Privacy Key Protection Agreement

Finally, complete the validation, review the information about your organization, and agree to the private key protection agreement.

14. Contact our tech support team to get the.PEM file after the order is complete.

15. Return to your Azure certificate operation and select Merge Signed Request.

Merge Signer Request

16. Insert the.PEM file there. The status appears to be completed.

Insert .PEM File

Your Code Signing certificate will be available in Azure Key Vault and can be used with the Azure Sign Tool or Azure Pipeline.

Merger Signer Request Successful

With increased security and confidence, your private key is now securely maintained in the Microsoft Azure KeyVault Cloud HSM.

The above procedures apply to large organizations and small developers. After reading this article, you can use Microsoft Azure KeyVault to manage your keys and certificates.

Want the Video Tutorial? Browse our Video on Code Signing with Azure Key Vault

<?xml version="1.0" encoding="UTF-8"?><svg id="Layer_1" xmlns="" viewBox="0 0 109.7 29.02"><defs><style>.cls-1{fill:#fff;}</style></defs><path class="cls-1" d="m5.38,22.85c-3.1-.26-5.3-1.92-5.38-4.8h3.6c.1,1.1.67,1.85,1.78,2.09v-4.58c-2.47-.62-5.38-1.32-5.38-4.87,0-2.83,2.26-4.68,5.38-4.92v-1.94h1.54v1.94c3,.24,5.02,1.85,5.23,4.7h-3.62c-.1-.94-.67-1.66-1.61-1.94v4.54c2.5.65,5.42,1.3,5.42,4.85,0,2.45-1.92,4.73-5.42,4.97v1.94h-1.54v-1.97Zm0-10.25v-4.15c-1.1.17-1.87.84-1.87,2.06,0,1.13.77,1.7,1.87,2.09Zm1.54,3.38v4.2c1.22-.22,1.94-1.06,1.94-2.14s-.82-1.68-1.94-2.06Z"/><path class="cls-1" d="m17.62,8.33h-2.33v-3.1h5.78v17.5h-3.46v-14.4Z"/><path class="cls-1" d="m28.27,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.91-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m41.28,22.9c-1.22,0-2.09-.86-2.09-1.97s.86-1.97,2.09-1.97,2.04.86,2.04,1.97-.86,1.97-2.04,1.97Z"/><path class="cls-1" d="m49.54,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.91-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m64.56,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.9-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m81.79,0h3.29l-6.48,27.07h-3.29L81.79,0Z"/><path class="cls-1" d="m96.89,9.43h3.58l-8.23,19.59h-3.58l2.88-6.62-5.33-12.96h3.77l3.43,9.29,3.48-9.29Z"/><path class="cls-1" d="m105.62,22.73h-3.36v-13.3h3.36v2.06c.84-1.37,2.23-2.26,4.08-2.26v3.53h-.89c-1.99,0-3.19.77-3.19,3.34v6.62Z"/></svg>