Follow these instructions to store a code signing certificate and private key in Azure Key Vault. This allows you to store your signing key securely (complying with current industry standards) without needing a USB token or your own hardware security module (HSM).
Part 1: Issue a Code Signing Certificate to Azure Key Vault
Create an Azure Key Vault
In the Microsoft Azure Portal, open “Key vaults” then click Create.
Enter in the required details, being sure to select “Premium” pricing tier. This is necessary to enable HSM-storage for your private keys. Without HSM storage, your private key will not be stored in a compliant manner and your certificate may be revoked.
Note: You do not need to setup Azure Key Vault Managed HSM, just a standard key vault will suffice.
Copy down your Vault URI, you’ll need it later.
Assign Key Vault Permissions
After creating the Key Vault, you’ll have “Owner” permissions. You’ll need to also assign yourself the role “Key Vault Administrator”.
You can do this by clicking on Access control (IAM), then on “Add role assignment”.
Purchase a DigiCert Code Signing Certificate
Only DigiCert code signing certificates are compatible with Azure Key Vault. Sectigo/Comodo code signing certificates require key attestation, which Azure Key Vault does not support.
Create Certificate Signing Request (CSR)
Inside your new Azure Key Vault, go to Objects > Certificates, then “Generate/Import”. Fill out the form with these values:
- Method of Certificate Creation: Generate
- Type of Certificate Authority (CA): Certificate issued by a non-integrated CA
- Subject: CN=My Organization Name
- Do not include a comma (don’t worry, this doesn’t have to exactly match what will be displayed on the certificate, DigiCert only uses the public key from your CSR and ignores the other fields)
- DNS Names: 0
- Content Type: PKCS #12
Next, click to configure Advanced Policy Configuration and enter these options:
- In the EKU field, add this EKU to the list: 1.3.6.1.5.5.7.3.3
- Exportable Private Key: No
- Key Type: RSA-HSM (or EC-HSM)
- It’s very important to choose a key type that ends in HSM. If you choose a non-HSM key-type, your key will not be stored in a compliant manner and your certificate could be revoked.
- Key Size: 3072
After clicking create, your newly created certificate request will be listed under “In progress, failed or cancelled”. Click on the certificate name, then on Certificate Operation, then on Download CSR.
Submit CSR & Complete Validation
Follow the instructions provided by your certificate provider to submit the CSR to the certificate authority.
As part of the validation process, DigiCert will send you an email with a form to verify that you are storing the keys in a compliant location. Fill out this form (and any other forms required for validation), then wait for the certificate to be issued.
Note: this is why it was critical that you select HSM storage when creating the certificate in Azure Key Vault. If you didn’t select HSM storage, your certificate could be revoked for non-compliant key storage.
Merge Certificate
After DigiCert issues your certificate:
Go back into Azure Key Vault and open up the certificate. Click on Certificate Operation, then on Merge Signed Request.
Open the .zip folder that DigiCert sent you with the certificate. Look for the file with your name or company name as the file name (eg acme_llc.crt). Open the file in a text editor. Copy the certificate text, paste it into Azure Key Vault, and complete the merge. Your certificate has now been merged with the private key and is ready to use.
Part 2: Sign Code with a Certificate in Azure Key Vault
You’re now ready to sign code using your code signing certificate stored in Azure Key Vault. The specific steps will vary depending on the context you’re doing code signing in, but we’ll walk you through how to do it using AzureSignTool on a Windows desktop.
Install AzureSignTool
One popular tool is AzureSignTool, an open source version of SignTool modified to work with Azure Key Vault: https://github.com/vcsjones/AzureSignTool
Be sure you have the latest version of the .NET SDK installed, then open up Command Prompt and run: dotnet tool install --global AzureSignTool
Setup an Azure Entra ID Application
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app (don’t worry about the redirect URL).
Copy down your:
- Tenant ID
- Application (client ID)
After creating the app: In the navigation menu for the app, go to Certificates & secrets, then Client secrets. Click New client secret and create a new secret. Be sure to immediately copy down the displayed “Value”: you won’t be able to see it again.
Grant the Application Access to the Key Vault
Open your Key Vault, then go to Access control (IAM). Click on “Add role assignment”. Choose a role with sufficient permissions (eg. Key Vault Crypto User) and grant access to your newly created Entra ID application.
Sign Your Executable
Run this command to sign a file in your pesent working directory:
azuresigntool sign -kvu [vault uri] -kvc [certificate name] -kvi [application id] -kvs [secret] -kvt [tenant id] -tr http://timestamp.digicert.com -v [filename.exe]
(Replace the placeholders, including brackets, with your actual values.)
Fields:
kvu | Your Key Vault’s Vault URI |
kvc | Your certificate’s name in Key Vault |
kvi | The Entra application ID |
kvs | The Entra application secret |
kvt | Your Entra ID tenant ID |
tr | Timestamp URL, i.e. http://timestamp.digicert.com |