How to Create Key Vault, CSR, and Import Code Signing Certificate in Azure KeyVault HSM?

Create CSR and Import Certificate in Azure Key Vault

This guide will use secure key management using Microsoft Azure KeyVault. In today’s digital landscape, where data security is paramount, protecting your private keys, generating certificates, and managing secure connections is crucial.

Recommended: Comprehensive Guide on Azure Key Vault

Microsoft Azure KeyVault offers a robust and reliable solution for handling these critical security aspects.

We will walk you through creating private keys, generating Certificate Signing Requests (CSRs), and importing certificates on Microsoft Azure KeyVault.

With a focus on cloud Hardware Security Modules (HSM), we will explore how you can leverage the power of KeyVault to ensure the utmost security and integrity of your sensitive information.

So, let’s dive into the world of secure key management on Microsoft Azure KeyVault and discover how to safeguard your assets, strengthen your security posture, and achieve peace of mind in an ever-evolving digital landscape.

Reputed Certificate Authority Like DigiCert’s Code Signing support Azure Vault Standard and Premium tier! To Get Benefits of this, You can Purchase DigiCert EV Code Signing Certificate from us!

How to Generate Certificate Signing Request (CSR) in Microsoft Azure Cloud HSM?

To generate a Certificate Signing Request (CSR) within Microsoft Azure KeyVault, follow these steps:

Step 1: To set up the Azure Key Vault please log in to your Azure Portal and click on the “Create a resource” button.

Step 2: Search for “Key Vault” and press create to get your vault up and running!

Create Key Vaut

Step 3: Please select the settings that fit your use case and create your Key Vault.

Note: In order to be compliant with the FIPS 140-2 standard, you should select the “Premium” pricing tier. If you do not choose “Premium”, there’s a risk that your certificate will be revoked.

Access Configuration Settings:

Access Configuration

Networking Settings:

Networking Changes

Review and Create New Vault:

Review and Create Vault

Step 4: Your vault has been created now.

Deployment Done

Step 5: When your vault has been created, please select “Certificates” in the action bar to the left.

Click on Certificates

Step 6: Then click “Generate/Import” to start creating your Code Signing CSR:

Generate Import Certificate

Step 7: Fill out your certificate name and subject name. The subject name should be your company name. Make sure to define the subject name with CN= . Now, set the Type of certificate authority, to non-integrated CA. Proceed to configure the Advanced Policy.

Create Certificate Azure

Step 8: In the Advanced Policy Configuration:

Advanced Policy Configuration
  • In the Extended Key Usages (EKUs) field please add the following: This EKU identifies the certificate as a Code Signing certificate.
  • You should also set “Exportable Private Key” as No and the “Key Type” to RSA-HSM.

    Note: All code Signing certificates from DigiCert are required to be issued with a minimum, 4096-bit key size.

Step 9: When you have configured the policy, click “Okay” and then “Create”. Now, click on the certificate that you just created. The certificate will then appear as an “In progress” certificate under the Certificates tab.

In Progress Certificate

Step 10: Click on your certificate in progress. Choose “Certificate Operation”.

Certificate Operations

Step 11: You will see the status as ‘In Progress’. Download the Certificate Signing Request (CSR) from here and Save the CSR file in a safe location of your choosing.

Download CSR

Step 12: Go to the order enrolment page and Navigate to Input CSR.

Input CSR

Step 13: Paste your CSR here and, enter the other required details, and submit the order.

Add Details

Step 14: Once the validation is completed, you will receive an email from Digicert, about Private Key Protection Agreement. Review your organization details and agree to the Private key protection agreement to complete the validation.

Private Key Protection Agreement
DigiCert Ageement
Agreement for KeyPair

Step 15: After the order is issued, contact our support team to get the .PEM file. Now, return to your certificate operation and click, Merge Signed Request.

Merge CSR Azure

Step 16: Insert the .PEM file. Now the status will change to completed. Your EV Code Signing certificate is now available in Azure Key Vault and can be used in Azure Pipeline or with the Azure Sign Tool.

Insert PEM File
Merged CSR to Certificate

Your private key is now securely stored in Microsoft Azure KeyVault Cloud HSM, providing enhanced security and peace of mind.

You can refer to the above steps as an individual developer or a large-scale enterprise. We hope this guide equipped you with the knowledge and skills to manage your keys and certificates on Microsoft Azure KeyVault.


Best Practices for Storing X.509 Private Keys

Buy Azure Key Vault Code Signing Certificate Starts at Just $369.99/Yr

You can Also Checkout Our Video Guide for the Same!

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.