Purchasing an EV Code Signing Certificate for Azure
Using Azure Key Vault
Azure Key Vault is a service provided by Microsoft which can be used to manage keys, secrets, and certificates. These are all stored in hardware security modules (HSMs) that comply with industry standards such as the Federal Information Processing Standards (FIPS) 140-2 Level 2. This means that Extended Validation (EV) Code Signing certificates can be issued to an Azure Key Vault removing the requirement for issuance to a cryptographic token.
You can use the instructions on this page to set up, install, and use an EV Code Signing certificate in Azure.
- To set up the Azure Key Vault please log in to your Azure Portal and click on the “Create a resource” button. Search for “Key Vault” and press create to get your vault up and running:
Please select the settings that fit your use case and create your Key Vault. Note: In order to be compliant with the FIPS 140-2 standard, you should select the “Premium” pricing tier. If you do not choose “Premium”, there’s a risk that your certificate will be revoked.
When your vault has been created, please select “Certificates” in the action bar to the left.
Then click “Generate/Import” to start creating your Code Signing CSR:
Fill out your certificate name and subject name. The subject name should be your company name.
- Set the Type of Certificate Authority to non-integrated CA and then select Advanced Policy Configuration:
In the Extended Key Usages (EKUs) field please add the following:
These EKUs identify the certificate as a Code Signing certificate.
You should also set “Exportable Private Key” as No and the “Key Type” to RSA-HSM.
Note: Starting May 31, 2021, all Code Signing certificates from TRUSTZONE are required to be issued with 4096-bit keys.
When you have configured the policy, click “Okay” and then “Create”.
The certificate will then appear as an “In progress” certificate under the Certificates tab:
Click on your certificate in progress. Choose “Certificate Operation” and then click “Download CSR”:
Save the CSR file in a safe location of your choosing.
The ordering process
Now you’re ready to order your EV Code Signing (HSM). You can order it in your portal or by contacting a TRUSTZONE account manager. Your order will need to be vetted and you will receive documents from TRUSTZONE which you will need to sign. We also request that you share with us that you will be using Azure Key Vault to store your EV Code Signing certificate.
Finally, TRUSTZONE will confirm the order by calling your main company number. During this process, you will also be asked to create a pickup password. Please keep this password in a safe location as this cannot be reset and you will need to create a new order if you forget the password.
When the vetting process is completed you will receive an email letting you know that your certificate is ready for pickup.
When you receive this email, simply click the link in step 4 of the email.
Note: You will need either Internet Explorer or Mozilla Firefox to download the certificate.
Please go through the steps, inputting your pickup password when prompted and copy-pasting the contents of your CSR file when asked.
You will then be prompted to download your certificate. Save the certificate in the location of your choosing.
- Now, log in to your Azure Portal again and go to your Key Vault. Click on your certificate in progress. Choose “Certificate Operation” and then click “Merge Signed Request”. Find your downloaded certificate and upload it to the Key Vault:
Your EV Code Signing certificate is now available in Azure Key Vault and can be used in Azure Pipeline or with the Azure Sign Tool.