Setup Verokey/DigiCert Code Signing on Microsoft Azure Key Vault

You will need to order a code-signing certificate from a trusted Certificate Authority. We have them available here from SSLTrust and would highly recommend the Verokey range. This tutorial is for the Verokey and DigiCert Code Signing Certificates.

As this tutorial is the process of installing your new certificate onto a secure HSM being Microsoft Azure Key Vault, you will need to make sure you have the provisioning method on the order page selected as Install onto existing HSM.

With your new certificate added to the shopping cart, complete the checkout with payment. When all is done, your new service will appear in your SSLTrust account.

Login to your SSLTrust account, and from the Services menu, view your new Code Signing Certificate and click Manage.

From the Manage Product page, you will see a button to Submit Certificate Configuration; click this to be taken to the configuration page.

Now, you want to select your provisioning method. You will need to make sure Install on an HSM is selected.

Then select the FIPS 140-2 Level 2 from the Token drop-down. This is what Microsoft Azure Key Vault is.

Next, you will need to provide a CSR, which we need to get from Azure Key Vault

Login to your Azure Portal. If you already have a Key Vault created, you can skip to the next step. If not, lets create one now.

From your Azure portal, find the Key Vaults Resource.

And create a new Key Vault

Enter all the details of your new Key Vault. Make sure you have Premium selected for the Pricing Tier, as this is the only one that allows the HSM-backed keys.

When your new Key Vault is created, go into view/manage it.

We now need to create the Private Key and Certificate Signing Request (CSR), so from the left menu, select Certificates.

Click the Generate button.

Enter the details of the new Certificate. You will need to select Certificate issued by a non-integrated CA for the Type of CA.

The subject won't be used for your certificate issued, but you do need to enter something in the field.

Click Not Configured for the Advanced Policy Configuration to show the new panel.

In the new Panel, For the Extended Key Usage field, add a new value to the end: 1.3.6.1.5.5.7.3.3

This is to enable code signing on the key/certificate.

You need to make the following selections for the Policy Configuration:

No for Exportable Private Key. This will then show more options under Key Type.

Select RSA-HSM or ECC-HSM and a compatible key size.

For RSA-HSM, you need to select a key size of 4096.

Click OK and Create your new Certificate.

Now you will see your Certificate listed, and you can click on it to be taken to the Certificate page.

On the Certificate page, click the Certificate Operations to bring up a new panel.

And from here, click the Download CSR button

This will download your CSR to your local computer. You will then need to open it in a text editor and copy the entire contents of the CSR back into the Configuration pages CSR field.

After you paste in your new CSR and click NEXT, you will be asked to enter your organisation details. Ensure these are all correct and the address and phone number can be easily found online. The verification team will check online business directories such as DUNS, Google Business, Yellow Pages, and more to verify the details. They will also make a verification phone call using the phone number they find.

And lastly, you will need to enter your organisation's contact details. These are the individuals to approve the order and confirm that you have ordered a Code Signing Certificate for the organisation.

Make sure the Technical contact email address is one you have access to. You will be emailed to sign an agreement saying your HSM is secure and compatible.

Once all details are entered, submit your configuration. You will then be taken to the validation manager, which can provide you with status updates while your organisation is being verified by the validation team. Access to the validation manager is via your SSLTrust account product/service management page.

The organisation details and contacts will need to be verified by the DigiCert validation team. This can take 1-5 business details and can depend on how well-listed your organisation is online. Be sure to keep an eye out for any emails from them and a verification phone call. If you don't hear from them within 2 business days, please reach out to our support team, and we will check on the status and provide you with updates.

You will also receive a final order approval email to approve the order when it is ready to be issued.

You will receive an email to approve the order when your organisation's validation is completed. Which looks similar to this:

Click the link in the email and follow the instructions to approve the order. The technical contact will also receive an email to sign an HSM agreement. The email will be similar to this:

Click the link and follow the instructions to sign the agreement, which says the HSM you are using is secure and follows all the requirements, which Azure Key Vault does.

Your Certificate will now be issued.

Now that your Certificate has been issued, you need to login to your SSLTrust account panel and view your Code Signing Service again. This time, it will show that it has been issued, and there will be a button to Collect the Certificate. Click the button.

On the Certificate collection page, you will see your new Code Signing Certificate and the intermediate Certificates.

From the Download Certificate drop-down menu, select option: A single .pem file containing all the certs except the root

And download the file.

Now go back to your Azure Portal and the page where you see your previously created Certificate and CSR. And click the Merge Signed Request button. And select the .pem file you just downloaded.

Your new Code Signing Certificate has been successfully imported into Microsoft Azure Key Vault and is ready to be used to sign your code and applications.

You can check out our other guides on how to use the Certificate in Azure Vault to sign your code, files and applications via the Azure SIgn Tool here.