Generate a CSR and Install a Certificate in Microsoft Azure Key Vault

Announcement: Starting June 1, 2023,’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will only be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys. The previous rule allowed OV and IV code signing certificates to be generated as downloadable PFX files. Since the new requirements only allow the use of encrypted USB tokens or cloud-based FIPS compliant hardware appliances to store the certificate and private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced. Click this link to learn more about eSigner.

Time needed: 1 hour

These instructions will show you how to generate a certificate signing request (CSR) and install a certificate from in Microsoft Azure Key Vault. You will need to create a Key Vault in your Azure account before using this how-to.

  1. Select Key Vault.

    Sign into the Azure portal and select the key vault where you wish to install your certificate.
    Select key vault

  2. Open certificate settings.

    Select Certificates in the right-hand Settings menu.
    Certificates link

  3. Begin CSR generation.

    Click the Generate/Import button to open the Create a certificate window.

  4. Enter certificate details.

    Enter or select the following details in the Create a certificate form fields:

    • Method of Certificate Creation: select Generate
    • Certificate Name: Enter a unique name for your certificate
    • Type of Certificate Authority (CA): Select Certificate issued by a non-integrated CA
    • Subject: Enter the X.500 Distinguished Name for your certificate. For an SSL/TLS certificate this would be something like For OV code signing, you can enter something like CN=Firstname Lastname,OU=Operations,O=Company Name,C=US. For individual validation, you can enter your name as the common name, e.g. CN=Firstname Lastname.
    • DNS Names: Add any additional domain names that should be added to an SSL/TLS certificate (e.g., etc.).
    • Validity Period: You can leave this at the default setting of 12 months. For code signing certificates with longer validity periods, your issued certificate will be based on your order, not the CSR.
    • Content Type: select PEM
    • Lifetime Action Type: Here you can configure Azure to send email alerts at a certain percentage of certificate lifetime or days before expiry.

    enter certificate details

  5. Advanced Policy Configuration

    Click Advanced Policy Configuration to set the key size, type, and policies for key reuse and exportability. If you want to generate an HSM-protected key, set Exportable Private Key to No and choose RSA-HSM or EC-HSM. For certificates issued by, you can leave Extended Key Usages (EKUs) and X.509 Key Usage Flags and Enable Certificate Transparency at their default values, and Certificate Type blank. When you are finished setting the Advanced Policy Configuration, click the OK button.
    Advanced Policy Configuration

  6. Generate CSR.

    Click the Create button to generate your new key pair and CSR.
    Click create button

  7. Select certificate.

    Locate your certificate in the list of in progress, failed or cancelled certificates and click it.

    Select certificate

  8. Click Certificate Operation.

    Click the Certificate Operation button.
    Certificate Operation

  9. Download CSR.

    Click the Download CSR button and download your CSR file.
    Download CSR

  10. Open CSR.

    Open your CSR in a text editor so you can copy and paste it when ordering.
    CSR in text file

  11. Order and retrieve certificate.

    Order a certificate from (or reprocess an existing order). When ordering or generating your certificate, use the CSR you downloaded from Azure.
    Paste CSR into form

  12. Select certificate in Key Vault.

    Return to Key Vault and select your certificate’s name in the Certificates settings.
    Select certificate

  13. Click Certificate Operation.

    Click the Certificate Operation button.
    Certificate Operation

  14. Merge Signed Request.

    Click the Merge Signed Request button and navigate to the certificate you downloaded from
    Merge Signed Request

  15. Certificate merged.

    You should see notifications that your certificate request has been successfully merged.

    certificate request successfully merged

  16. Finished!

    Your signed certificate is now installed in Key Vault and ready to use.
    Certificate installed

Next Steps

For more info on installing your certificate, read here. For help binding your certificate, read here.

Subscribe To’s Newsletter

Don’t miss new articles and updates from

Stay Informed and Secure is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.