How to Purchase an EV Code Signing Certificate for Azure?

How to Purchase EV Code Signing Certificate for Azure

Every digital platform requires an EV Code Signing Certificate. A similar case is with Microsoft Azure. If you use an Azure pipeline to streamline your project, Azure Key Vault is the only way to sign an application efficiently. The procedure for availing of an EV Code Signing Certificate for Azure differs.

Most developers/publishers know how to utilize Azure Cloud, but only a few understand the procedure for using Azure Key Vault for digital signing. But you can thoroughly learn about the process by reading further.

So, let’s get started.

Azure Key Vault EV Code Signing

Protect your Code Signing Certificate and Private Key to Secure Cloud-Based HSM.

Azure Key Vault: The Basic You Need To Understand

Azure Key Vault plays a primary role in storing the certificates and private keys to sign the applications digitally. It’s a cloud-based functionality available on Microsoft Azure Cloud Infrastructure, whose primary purpose is discreetly storing secrets.

Besides digital certificates, you can also use them to store passwords, API, and cryptographic keys.

Azure Key Vault’s storage aligns with FIPS (Federal Information Processing Standards) 140-2 standards. Its storage security is similar to the EV Code Signing Certificate’s USB token, in which CA provides the private key.

Generating or importing any EV Certificate to the Azure Key Vault is stored in a hardware security module.

In addition, Azure provides a completely secure environment for signing and certificate operations. It uses the latest and updated Transport Layer Security protocol to encrypt every bit in the transmission channel.

All your details are safe if you import your Code Signing Certificate or generate one at the vault.

And some of the additional leverages you avail with Azure Key Vault include:

  • Azure secures the key using hardware modules and considerable vital lengths.
  • It allows one to import and manage one’s keys.
  • Only you can access the vault, as even Microsoft can’t view and extract your cryptographic keys.
  • It automatically creates the log and stores details, like when someone uses the certificate to sign an executable file.
  • Azure key vault reduces the time needed to access keys, as it resides in the same cloud environment and can get integrated into the Azure pipeline.

Recommended: Code Sign With Azure DevOps Using a Code Signing Certificate

How does EV Code Signing with Azure Key Vault Work?

When you want to utilize an Extended Validated Code Signing Certificate with Azure Cloud, you must import or generate the certificate in the Azure Key vault.

Otherwise, it will create complexities, or you will get disabled from detecting external USB tokens and signing executable files.

Azure Key Vault aligns with the same industry standards as EV’s external token and fulfills the CA’s security requirement. It helps to directly issue the EV Code Signing Certificate into the cloud ecosystem and embed it into the development pipeline to automate and streamline the procedure.

Therefore, the Azure Key vault replaces a USB token, eliminating your hassle to secure it from unauthorized access.

Additionally, you get the benefits as follows:

  • The automated signing of software, applications, and executable files.
  • Effortless certificate and private key management.
  • Compliance with the best approach to secure private key in a FIPS-140-2 Level 2 aligning hardware security module.
  • A single interface to import, manage, and store private keys and EV Code Signing certificates.

Recommended: DigiCert EV Code Signing Certificate Supports Azure Key Vault Premium (HSM backed)

The Complete Procedure To Avail Azure Key Vault Sign Certificate

Once you understand the fundamentals of the Azure Key vault and why it’s necessary to utilize the EV Code Signing Certificate, you can undergo the availing procedure. Multiple methods exist to add an EV Code Signing Certificate to the Azure Key Vault. Let’s have a look at them one by one.

#1: Importing an EV Code Signing Certificate

Step 1: Find a reputable Code Signing certificate provider CA like DigiCert and a Reseller like SignMyCode to Purchase an EV Code Signing Certificate.

Step 2: Complete the validation procedure and wait until the Certificate Authority assigns you the certificate. Make sure that your certificate file is in PFX or PEM format.

Step 3: Create your Azure Key Vault account and choose the Certificates option from the action bar at the left.

Step 4: Further, click the Generate/Import option to open the form, inputting the details required to import your EV Code Signing Certificate.

Create Key Vault Azure

Step 5: Complete the details by filling out Certificate Name, Subject, validity period, and content type. Also, select the type of certificate authority as a certificate issued by a non-integrated CA.

Create Certificate Azure Portal

Step 6: Move forward to advanced policy configuration, and under it, set the key type to RSA-HSM and select the key size accordingly.

Step 7: After inputting all data and selecting appropriate options according to your requirement, click Okay à Create.

Step 8: Navigate to the Certificate operations tab to see your certificate with in-progress status and multiple options. Click on the Download CSR option.

Certificate Operation Tab

Step 9: Once the CA issues you the certificate and sends mail to download it, you will find instructions on uploading it to Azure Key Vault. While following the procedure, the system will ask you to enter CSR and then download the certificate to the location of your choice.

Step 10: Access the Azure Key Vault portal, go to Certificate Option, and this time click on Merge Signed Request. It will allow you to select the downloaded EV Code Signing Certificate.

Merge Signed CSR Request

Step 11: Select the appropriate certificate, which will get uploaded to Azure Key Vault. Now you can utilize it through Azure Sign Tool and embed it within the Azure Pipeline.

#2: Uploading Signed CSR To The Azure Key Vault

This approach is followed through the Azure Command Line Interface. However, to get started, you must generate a policy file defining the certificate type, name, key size, ekus, subject, validity, and key usage details.

After the policy file creation, follow the below steps:

Step 1: Open the Azure CLI interface.

Step 2: Execute the command:

$ az key vault certificate create --vault-name $AZURE_KEY_VAULT_NAME -p @cer
t-policy.json --name $CERTIFICATE_NAME

Replace $AZURE_KEY_VAULT_NAME and $CERTIFICATE_NAME with the names of your certificate and key vault name.

Step 3: Once both commands are executed, you will see a certificate in your Azure Key Vault, but in a disabled state.

Step 4: To enable the certificate, you must create and download the CSR to get it signed by CA. To perform it, run the below command.

$ az keyvault certificate pending show --name $CERTIFICATE_NAME --vault-name $AZURE_KEY_VAULT_NAME | jq -r .csr | sed -e'1,1s/^/-----BEGIN CERTIFICATE REQUEST-----/g' | sed -e'$,$s/$/-----END CERTIFICATE REQUEST-----/g'

Step 5: Send the CSR to the CA and wait until it gets signed. And after you receive it, store it on your local machine.

Step 6: You must upload the signed CSR to Azure Key Vault to enable the EV Code Signing Certificate. To perform it, run the command:

az key vault certificate pending merge --name $CERTIFICATE_NAME --vault-name $AZURE_KEY_VAULT_NAME -f SIGNED_CSR_FILE.crt

Replace the highlighted keywords with your file names to execute successfully.

Best Provider To Buy EV Code Signing Certificate

For Azure Cloud Platform, you should only select the top-notch Certificate provider offering Code Signing Certificates from reputed CAs like DigiCert.

Therefore, DigiCert EV Code Signing Certificates are compatible with Azure Key Vault and efficiently secure the software.

Wrapping Up

Utilizing the Azure Key Vault is necessary to integrate the code signing process in the Azure pipeline. To make a certificate available, you must follow one of the two approaches – importing the certificate or getting your CSR signed by the CA.

In addition, the vault provides security similar to that of a USB token, which a CA provides when issuing an EV software publisher certificate.

Azure Code Signing

Code Signing with Azure Key Vault

Leverage the Cloud Based Software Security by Securely Store your Private Key and Code Signing Certificate to Microsoft Azure Key Vault.

Get Azure Key Vault Code Signing Certificate
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.