Generate a Certificate Signing Request in Azure Key Vault

Effective June 1, 2023, has updated its key storage protocols for code signing certificates to comply with new guidelines issued by the Certificate Authority/Browser (CA/B) Forum. Now, private keys must be secured in encrypted USB tokens, on-site FIPS-compliant hardware security modules (HSM), or via cloud-based HSM services. Among the supported cloud HSM options, Microsoft Azure Key Vault (Premium Tier) stands out as a robust choice for storing private keys and generating Certificate Signing Requests (CSRs). 

When applying for a signing certificate with, the process includes generating a Certificate Signing Request (CSR) which serves as a formal request for to validate and bind your identity to a signing certificate. The following sections demonstrate how to generate a CSR in Azure Key Vault (Premium Tier).


  1.  An Azure Key Vault (Premium Tier). The Azure Key Vault service tier that should be used for this process is Premium because it is FIPS 140-2 Level 3 validated.
    1. For instructions on how to create an Azure Key Vault, please refer to the next section: Create an Azure Key Vault.
    2. If you already have an existing Azure Key Vault, please proceed to the other section: Generate a Certificate Signing Request in Azure Key Vault.
  2. A signing certificate order from 
For a complete list of cloud HSMs that supports for code signing, please refer to this article: Supported Cloud HSMs for Document Signing and Code Signing.

Create an Azure Key Vault

  1. Sign into the Azure portal.

  2. Click Create a resource.
  3. Scroll to Key Vault and click the Create link.

  4. Under the Basics section, perform the following.
    1. Select the subscription and resource group. If needed, you can create a new resource group by clicking Create new.
    2. Assign a name and region. Provide a name for your Key Vault and choose a region.
    3. Opt for the Premium pricing tier. To comply with the FIPS 140-2 standard, select the “Premium” pricing tier.
    4. Configure recovery options. Set the recovery options for your Key Vault, including purge protection and the retention period for deleted vaults.
    5. Click the Next button to proceed to the Access Configuration Settings section.

  5. Click Access configuration. Set the access policies for your Key Vault.
  6. Click Networking. Choose a connectivity method for your Key Vault.
  7. Click Tags. If desired, create tags for your Key Vault.

  8. Continue to Review + create. Review your settings, then click the Create button to create your new Key Vault.

  9. Azure will then create your new Key Vault. Once it is ready, you can access it by clicking the Go to resource button.

Generate a Certificate Signing Request in Azure Key Vault

  1. Select your key vault and click Certificates.

  2. Click the Generate/Import button to open the Create a certificate window.

  3. Accomplish the following fields:
    1. Method of Certificate Creation: Select “Generate.”
    2. Certificate Name: Enter a unique name for your certificate.
    3. Type of Certificate Authority (CA): Choose “Certificate issued by a non-integrated CA.”
    4. Subject: Provide the X.509 Distinguished Name for your certificate.
    5. Validity Period: You can leave this set to the default of 12 months. For code signing certificates with longer validity periods, the issued certificate will match your order, not the CSR.
    6. Content Type: Select “PEM.”
    7. Lifetime Action Type: Configure Azure to send email alerts based on a certain percentage of the certificate’s lifetime or a specific number of days before expiration.
  4. Advanced Policy Configuration. Click Advanced Policy Configuration to set the key size, type, and policies for key reuse and exportability.
    1. For certificates issued by, you can leave Extended Key Usages (EKUs), X.509 Key Usage Flags, and Enable Certificate Transparency at their default values.
    2. Reuse Key on Renewal? Select No.
    3. Exportable Private Key? Select No.
    4. Key Type. Select RSA+HSM
    5. Key Size. For a code signing certificate, you can only choose between 3072 or 4096.

  5.  When you are finished setting the Advanced Policy Configuration, click the OK button, followed by Create.

  6. On the Certificates section, locate your certificate in the list of in progress, failed or canceled certificates and click it.
  7. Click Certificate Operation.

  8. Click Download CSR and save the file in a secure location.

Submit the Certificate Signing Request (CSR) to 

The downloaded CSR file will be submitted to the agent assigned to the subscriber. Along with the CSR file, the subscriber must also submit the Auditor Attestation Form. The template for the form can be downloaded from this article: Bring Your Own Auditor (BYOA) Guide for Private Key Generation Attestation. After this, the process will proceed to verification of the documents submitted. The agent assigned to the subscriber will provide updates up until the signing certificate is ready for issuance.

Subscribe To’s Newsletter

Don’t miss new articles and updates from

Stay Informed and Secure is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.