Generate a Certificate Signing Request in Azure Key Vault

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Copy article link
Effective since June 1, 2023, SSL.com has updated its key storage protocols for code signing certificates and retired the option to obtain code signing certificates in PFX format. This was enacted to comply with guidelines published by the Certificate Authority/Browser (CA/B) Forum, which requires that the private keys of code signing certificates be secured in encrypted devices (such as tokens), on-site FIPS-compliant hardware security modules (HSMs), or via cloud-based HSM services. 

Among the supported cloud HSM options, Microsoft Azure Key Vault (Premium Tier) stands out as a robust choice for storing private keys and generating Certificate Signing Requests (CSRs).  To utilize Azure Key Vault (Premium Tier), users are required to create a Certificate Signing Request (CSR), which acts as an official submission for SSL.com to issue a code signing certificate. Before a CSR is used to issue a certificate, a Certificate Authority like SSL.com must verify that the private key will be the basis for the encryption used in the request and was created and safely stored on a certified device meeting FIPS 140-2 Level 2 (or above) standards, with protection against key export.  This verification is performed through an attestation process, which can be conducted either by a qualified security officer designated by the registrant or through an attestation service provided by SSL.com. The following sections provide instructions on how customers can generate a CSR and undergo the ceremony service conducted by SSL.com’s expert team.

Prerequisites

  1.  An Azure Key Vault (Premium Tier). The Azure Key Vault service tier that should be used for this process is Premium because it is FIPS 140-2 Level 3 validated.
    1. For instructions on how to create an Azure Key Vault, please refer to the next section: Create an Azure Key Vault.
    2. If you already have an existing Azure Key Vault, please proceed to the other section: Generate a Certificate Signing Request in Azure Key Vault.
  2. A signing certificate order from SSL.com. 
For a complete list of cloud HSMs that SSL.com supports for code signing, please refer to this article: Supported Cloud HSMs for Document Signing and Code Signing.

Create an Azure Key Vault

  1. Sign into the Azure portal.

  2. Click Create a resource.
  3. Scroll to Key Vault and click the Create link.

  4. Under the Basics section, perform the following.
    1. Select the subscription and resource group. If needed, you can create a new resource group by clicking Create new.
    2. Assign a name and region. Provide a name for your Key Vault and choose a region.
    3. Opt for the Premium pricing tier. To comply with the FIPS 140-2 standard, select the “Premium” pricing tier.
    4. Configure recovery options. Set the recovery options for your Key Vault, including purge protection and the retention period for deleted vaults.
    5. Click the Next button to proceed to the Access Configuration Settings section.

  5. Click Access configuration. Set the access policies for your Key Vault.
  6. Click Networking. Choose a connectivity method for your Key Vault.
  7. Click Tags. If desired, create tags for your Key Vault.

  8. Continue to Review + create. Review your settings, then click the Create button to create your new Key Vault.

  9. Azure will then create your new Key Vault. Once it is ready, you can access it by clicking the Go to resource button.

Generate a Certificate Signing Request in Azure Key Vault

  1. Select your key vault and click Certificates.

  2. Click the Generate/Import button to open the Create a certificate window.

  3. Accomplish the following fields:
    1. Method of Certificate Creation: Select “Generate.”
    2. Certificate Name: Enter a unique name for your certificate.
    3. Type of Certificate Authority (CA): Choose “Certificate issued by a non-integrated CA.”
    4. Subject: Provide the X.509 Distinguished Name for your certificate.
    5. Validity Period: You can leave this set to the default of 12 months. For code signing certificates with longer validity periods, the issued certificate will match your order, not the CSR.
    6. Content Type: Select “PEM.”
    7. Lifetime Action Type: Configure Azure to send email alerts based on a certain percentage of the certificate’s lifetime or a specific number of days before expiration.
  4. Advanced Policy Configuration. Click Advanced Policy Configuration to set the key size, type, and policies for key reuse and exportability.
    1. For certificates issued by SSL.com, you can leave Extended Key Usages (EKUs), X.509 Key Usage Flags, and Enable Certificate Transparency at their default values.
    2. Reuse Key on Renewal? Select No.
    3. Exportable Private Key? Select No.
    4. Key Type. Select RSA+HSM
    5. Key Size. For a code signing certificate, you can only choose between 3072 or 4096.

  5.  When you are finished setting the Advanced Policy Configuration, click the OK button, followed by Create.

  6. On the Certificates section, locate your certificate in the list of in progress, failed or canceled certificates and click it.
  7. Click Certificate Operation.

  8. Click Download CSR and save the file in a secure location.

Submit the CSR to SSL.com and Undergo Attestation

Once you’ve generated your key pair and Certificate Signing Request (CSR), the next essential step is attestation. Before SSL.com can issue a code signing certificate, we must verify that your private key was generated and is securely stored on a FIPS 140-2 Level 2 (or higher) certified device with non-exportable key protection.  For customers using Azure Key Vault Premium Tier, there are two attestation options:

SSL.com as Auditor
 You may opt to have SSL.com act as the auditor for a fee. For further information, please contact SSL.com’s sales team via sales@ssl.com   

Bring Your Own Auditor (BYOA)
Customers may select a qualified auditor to confirm the private keys were generated and stored on a compliant Hardware Security Module (HSM). This method is referred to as Bring Your Own Auditor (BYOA).

Was this article helpful?

Yes
No
Thanks for your feedback!

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance