Setup Verokey/DigiCert Code Signing on Microsoft Azure Key Vault

Today, we are going to run through the process of ordering and configuring your new DigiCert or Verokey Code Signing Certificate. Then, we will create a new Key Vault on Microsoft Azure and import our signed Certificate for Code Signing.

Video Guide to Setup and Initialse USB eToken for DigiCert or Verokey
Play Video

Video Guide to Setup and Initialse USB eToken for DigiCert or Verokey

Step 1. Ordering your Code Signing Certificate

You will need to order a code-signing certificate from a trusted Certificate Authority. We have them available here from SSLTrust and would highly recommend the Verokey range. This tutorial is for the Verokey and DigiCert Code Signing Certificates.

As this tutorial is the process of installing your new certificate onto a secure HSM being Microsoft Azure Key Vault, you will need to make sure you have the provisioning method on the order page selected as Install onto existing HSM.

Code Signing Provisioning Method selection

With your new certificate added to the shopping cart, complete the checkout with payment. When all is done, your new service will appear in your SSLTrust account.

Step 2. Start your new Code Signing Certificate Configuration

Login to your SSLTrust account, and from the Services menu, view your new Code Signing Certificate and click Manage.

List of services in SSLTrust account

From the Manage Product page, you will see a button to Submit Certificate Configuration; click this to be taken to the configuration page.

product managment page with buttom to submit configuration
verokey code signing configuration page

Now, you want to select your provisioning method. You will need to make sure Install on an HSM is selected.

Then select the FIPS 140-2 Level 2 from the Token drop-down. This is what Microsoft Azure Key Vault is.

Selection of provisioning method

Next, you will need to provide a CSR, which we need to get from Azure Key Vault

Step 3. Create Azure Key Vault

Login to your Azure Portal. If you already have a Key Vault created, you can skip to the next step. If not, lets create one now.

From your Azure portal, find the Key Vaults Resource.

Azure Portal Key Vaults

And create a new Key Vault

Enter all the details of your new Key Vault. Make sure you have Premium selected for the Pricing Tier, as this is the only one that allows the HSM-backed keys.

Azure Key Vault creation

When your new Key Vault is created, go into view/manage it.

Step 4. Create Certificate Signing Request (CSR)

We now need to create the Private Key and Certificate Signing Request (CSR), so from the left menu, select Certificates.

Azure Key Vault Certificate Menu item

Click the Generate button.

Generate button

Enter the details of the new Certificate. You will need to select Certificate issued by a non-integrated CA for the Type of CA.

The subject won't be used for your certificate issued, but you do need to enter something in the field.

azure key vault generate certificate form

Click Not Configured for the Advanced Policy Configuration to show the new panel.

In the new Panel, For the Extended Key Usage field, add a new value to the end: 1.3.6.1.5.5.7.3.3

This is to enable code signing on the key/certificate.

advanced policy settings panel

You need to make the following selections for the Policy Configuration:

No for Exportable Private Key. This will then show more options under Key Type.

Select RSA-HSM or ECC-HSM and a compatible key size.

For RSA-HSM, you need to select a key size of 4096.

Select policy configurations

Click OK and Create your new Certificate.

Now you will see your Certificate listed, and you can click on it to be taken to the Certificate page.

New Certificate created and listed

On the Certificate page, click the Certificate Operations to bring up a new panel.

Certificate Operations button

And from here, click the Download CSR button

Download CSR button

This will download your CSR to your local computer. You will then need to open it in a text editor and copy the entire contents of the CSR back into the Configuration pages CSR field.

CSR field with new CSR in it

Step 4. Continue Configuration with Organisation and Contact Details

After you paste in your new CSR and click NEXT, you will be asked to enter your organisation details. Ensure these are all correct and the address and phone number can be easily found online. The verification team will check online business directories such as DUNS, Google Business, Yellow Pages, and more to verify the details. They will also make a verification phone call using the phone number they find.

Form to enter organisation details

And lastly, you will need to enter your organisation's contact details. These are the individuals to approve the order and confirm that you have ordered a Code Signing Certificate for the organisation.

Form to enter organisation contact details

Make sure the Technical contact email address is one you have access to. You will be emailed to sign an agreement saying your HSM is secure and compatible.

Once all details are entered, submit your configuration. You will then be taken to the validation manager, which can provide you with status updates while your organisation is being verified by the validation team. Access to the validation manager is via your SSLTrust account product/service management page.

Configuration Suceess Page

Organisation Verification

The organisation details and contacts will need to be verified by the DigiCert validation team. This can take 1-5 business details and can depend on how well-listed your organisation is online. Be sure to keep an eye out for any emails from them and a verification phone call. If you don't hear from them within 2 business days, please reach out to our support team, and we will check on the status and provide you with updates.

You will also receive a final order approval email to approve the order when it is ready to be issued.

Step 5. Approve Order and HSM Agreement

You will receive an email to approve the order when your organisation's validation is completed. Which looks similar to this:

Email to approve code signing certificate order

Click the link in the email and follow the instructions to approve the order. The technical contact will also receive an email to sign an HSM agreement. The email will be similar to this:

Email to sign agreement for HSM

Click the link and follow the instructions to sign the agreement, which says the HSM you are using is secure and follows all the requirements, which Azure Key Vault does.

Your Certificate will now be issued.

Step 6. Collect and Import your new Code Signing Certificate to Key Vault

Now that your Certificate has been issued, you need to login to your SSLTrust account panel and view your Code Signing Service again. This time, it will show that it has been issued, and there will be a button to Collect the Certificate. Click the button.

Collect Code SIgning Certificate button

On the Certificate collection page, you will see your new Code Signing Certificate and the intermediate Certificates.

From the Download Certificate drop-down menu, select option: A single .pem file containing all the certs except the root

And download the file.

Collection page to download new certificate

Now go back to your Azure Portal and the page where you see your previously created Certificate and CSR. And click the Merge Signed Request button. And select the .pem file you just downloaded.

Azure portal to merge certificate request

Your new Code Signing Certificate has been successfully imported into Microsoft Azure Key Vault and is ready to be used to sign your code and applications.

import success message

You can check out our other guides on how to use the Certificate in Azure Vault to sign your code, files and applications via the Azure SIgn Tool here.

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.


Continue reading with these guides you may be interested in...

#Code Signing

Code Signing from Azure Key Vault with SignTool

Video Included

If you have your Code Signing Certificate on Microsoft Key Vault, you can use Azure Sign Tool to sign your files, code and applications from any Windows computer with internet access. We will go through the process in this tutorial.