How to Purchase an EV Code Signing Certificate for Azure?

How to Purchase EV Code Signing Certificate for Azure

Every digital platform has its requirement to utilize an EV Code Signing Certificate. And the similar case is with Microsoft Azure. If you use an Azure pipeline to streamline your project, then Azure Key Vault is the only way to sign an application efficiently. And the procedure to avail of an EV Code Signing Certificate for Azure is also different.

Most developers/publishers know to utilize Azure Cloud, but only a few understand the procedure to use Azure Key Vault for digital signing. But you can thoroughly learn about the process by reading further.

So, let’s get started.

Azure Key Vault: The Basic You Need To Understand

Azure Key Vault plays a primary role in storing the certificates and private keys to sign the applications digitally. It’s a cloud-based functionality available on Microsoft Azure Cloud Infrastructure, whose primary purpose is to store secrets discreetly.

Besides digital certificates, you can also use them for storing passwords, API, and cryptographic keys.

Further, Azure Key Vault’s storage aligns with FIPS (Federal Information Processing Standards) 140-2 standards. It makes its storage security similar to the EV Code Signing Certificate’s USB token, in which CA provides the private key.

And when you generate or import any EV Certificate to the Azure Key Vault, it gets stored in a hardware security module.

In addition, Azure provides a completely secure environment for signing and certificate operations. It uses the latest and updated Transport Layer Security protocol to encrypt every bit in the transmission channel.

All your details are safe if you import your Code Signing Certificate or generate one at the vault.

And some of the additional leverages you avail with Azure Key Vault include:

  • Azure secures the key using hardware modules and considerable key lengths.
  • It allows one to import and manage own keys.
  • Only you can access the vault, as even Microsoft can’t view and extract your cryptographic keys.
  • It automatically creates the log and stores details, like when someone uses the certificate to sign an executable file.
  • Azure key vault reduces the time in accessing keys, as it resides in the same cloud environment and can get integrated into the Azure pipeline.

Recommended: Code Sign With Azure DevOps Using a Code Signing Certificate

How does EV Code Signing with Azure Key Vault Work?

When you want to utilize an Extended Validated Code Signing Certificate with Azure Cloud, you must import or generate the certificate in the Azure Key vault.

Otherwise, it will create complexities, or you will get disabled from detecting external USB tokens and signing executable files.

Azure Key Vault aligns with the same industry standards as EV’s external token and fulfills the CA’s security requirement. It helps to directly issue the EV Code Signing Certificate into the cloud ecosystem and embed it into the development pipeline to automate and streamline the procedure.

Therefore, the Azure Key vault comes in place of a USB token, and your hassle to secure it from unauthorized access gets eliminated.

Additionally, you get the benefits as follows:

  • The automated signing of software, applications, and executable files.
  • Effortless certificate and private key management.
  • Compliance with the best approach to secure private key in a FIPS-140-2 Level 2 aligning hardware security module.
  • A single interface to import, manage and store private keys and EV Code Signing certificates.

Recommended: DigiCert EV Code Signing Certificate Supports Azure Key Vault Premium (HSM backed)

The Complete Procedure To Avail Azure Key Vault Sign Certificate

Once you understand the fundamentals of Azure Key vault and why it’s necessary to utilize the EV Code Signing Certificate, it will be easy to undergo the availing procedure. Multiple methods exist to add an EV Code Signing Certificate to the Azure Key Vault. Let’s have a look at them one by one.

#1: Importing an EV Code Signing Certificate

Step 1: Find a reputable Code Signing certificate provider CA like DigiCert and Reseller like SignMyCode to Purchase EV Code Signing Certificate.

Step 2: Complete the validation procedure and wait until the Certificate Authority assigns you the certificate. Makes sure that your certificate file is in PFX or PEM format.

Step 3: Create your Azure Key Vault account and choose the Certificates option from the action bar at the left.

Step 4: Further, click the Generate/Import option to open the form, inputting the details required to import your EV Code Signing Certificate.

Create Key Vault Azure

Step 5: Complete the details by filling out Certificate Name, Subject, validity period, and content type. Also, select the type of certificate authority as a certificate issued by a non-integrated CA.

Create Certificate Azure Portal

Step 6: Move forward to advanced policy configuration, and under it, set the key type to RSA-HSM and select the key size accordingly.

Step 7: After inputting all data and selecting appropriate options according to your requirement, click Okay à Create.

Step 8: Navigate to the Certificate operations tab; you will see your certificate with in-progress status with multiple options. Click on the Download CSR option.

Certificate Operation Tab

Step 9: Once the CA issues you the certificate and sends mail to download it, you will find instructions to upload it to Azure Key Vault. While following the procedure system will ask you to enter CSR and then download the certificate to the location of your choice.

Step 10: Access the Azure Key Vault portal, go to Certificate Option, and this time click on Merge Signed Request. It will provide you the option to select the downloaded EV Code Signing Certificate.

Merge Signed CSR Request

Step 11: Select the appropriate certificate, which will get uploaded to Azure Key Vault. Now you can utilize it through Azure Sign Tool and even embed it within the Azure Pipeline.

#2: Uploading Signed CSR To The Azure Key Vault

This approach gets followed through Azure Command Line Interface. However, to get started, you must generate a policy file defining the certificate type, name, key size, ekus, subject, validity, and key usage details.

After the policy file creation, follow the below steps:

Step 1: Open the Azure CLI interface.

Step 2: Execute the command:

$ az key vault certificate create --vault-name $AZURE_KEY_VAULT_NAME -p @cer
t-policy.json --name $CERTIFICATE_NAME

Replace $AZURE_KEY_VAULT_NAME and $CERTIFICATE_NAME with the names of your certificate and key vault name.

Step 3: Once both the commands get executed, you will see a certificate in your Azure Key Vault, but in a disabled state.

Step 4: To enable the certificate, you must create and download the CSR to get it signed by CA. To perform it, run the below command.

$ az keyvault certificate pending show --name $CERTIFICATE_NAME --vault-name $AZURE_KEY_VAULT_NAME | jq -r .csr | sed -e'1,1s/^/-----BEGIN CERTIFICATE REQUEST-----/g' | sed -e'$,$s/$/-----END CERTIFICATE REQUEST-----/g'

Step 5: Send the CSR to the CA and wait until it gets signed. And after you receive it, store it on your local machine.

Step 6: You must upload the signed CSR to Azure Key Vault to enable the EV Code Signing Certificate. To perform it, run the command:

az key vault certificate pending merge --name $CERTIFICATE_NAME --vault-name $AZURE_KEY_VAULT_NAME -f SIGNED_CSR_FILE.crt

Replace the highlighted keywords with your file names to execute successfully.

Best Provider To Buy EV Code Signing Certificate

For Azure Cloud Platform, you should only select the top-notch Certificate provider offering Code Signing Certificates from reputed CAs like DigiCert.

Azure Code Signing with DigiCert

But you can save time and effort, as you can visit an all-in-one platform to purchase EV Code Signing Certificate.

Therefore, DigiCert EV Code Signing Certificates are wholly compatible with Azure Key Vault and efficiently secure the software.

Wrapping Up

To integrate the code signing process in the Azure pipeline, it’s necessary to utilize the Azure Key Vault. And to make a certificate available, you need to follow one of the two approaches – importing the certificate or getting your CSR signed by the CA.

In addition, the vault provides similar security as a USB token, which a CA provides when issuing an EV software publisher certificate.

Hence, Azure Key Vault is the primary location where you can store private keys and EV Code Signing Certificate to automate the digital signing procedure. And you must follow the approaches mentioned above if you want to tamper-proof your software in the Azure cloud environment.

Get DigiCert EV Code Signing at Just $499.99/yr

Protect your Signed Code with Azure Key Vault and a HSM based code signing certificate from DigiCert EV Code Signing Certificate.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.