Azure Key Vault Code Signing Certificates

What Is an Azure Key Vault Code Signing Certificate?

A code signing certificate for Azure Key Vault is a traditional X.509 digital file that enables you to attach a visual mark (i.e., a digital signature that represents your digital identity) to your apps and other code. The difference is that instead of being stored on a secure USB token, it’s stored in Azure Key Vault.

As with any code signing certificate, an Azure Key Vault certificate uses public key cryptography to create and verify the authenticity and integrity of your signature. This way, software users and their devices know that they can trust your software products.

Does Anything Differentiate It From Other Code Signing Certificates?

The only real difference is that Azure Key Vault code signing certificates are compatible with Azure Key Vault’s key generation processes. (Remember: AKV doesn’t support key attestation.)  In order for certificates to be stored in AKV, the certificates’ respective private keys must be generated in the vault. They can’t be generated elsewhere and then imported due to the industry’s code signing baseline security requirements.

Otherwise, an Azure Key Vault code signing certificate is just a fancy way of saying that it’s a certificate that has its private key generated and stored in Azure Key Vault. It works identically, as it’s virtually the same as other similarly named code signing certificates — e.g., a “Java code signing certificate” or a “Visual Studio code signing certificate.”

What Platforms Azure Key Vault Code Signing Certificate Works With

Okay, let’s say you’ve set up your Azure Key Vault. Now, it’s time to decide which platforms, apps, and services can connect to your secure keystore. This will require the granting of access privileges for your vault to any third-party systems.

• Azure Command Line Interface (Azure CLI): You can use this command line tool to manage and access your key vault resources.
• Azure SignTool: This open-source tool is a modified version of SignTool that’s geared specifically for working directly with Azure Key Vault (rather than using a certificate and key stored on your local machine).
• Unified Key Orchestrator: You can connect your Azure Key Vault keystore to Unified Key Orchestrator’s API.
• Visual Studio: You can set Azure Key Vault as a supported Connected Services in Visual Studio.
• Visual Studio Code: This open-source editor allows you to manage your keys and certificates using an AKV extension.

How to Get Started Using Azure Key Vault to Sign Your Codes

Let’s say you’ve decided to pull the trigger on getting an Azure Key Vault code signing certificate and are ready for action. There are some steps you’ll need to complete before you can jump into signing your software projects.

1. Register a Microsoft Azure account. Already have one? Then you’re set and can skip this step.
2. Create an Azure Key Vault. It’s a straightforward process, but we have a resource linked in the table a little further down the page to walk you through it.
3. Purchase your certificate publicly trusted signing certificate. Take a look at our Azure Key Vault code signing certificate offerings and find the one that will best suit your needs and budget,
4. Generate a certificate signing request (CSR). This is a straightforward process — just submit a form inside your Azure Key Vault (see our article below with instructions).
5. Generate and validate your new publicly trusted signing certificate. The CA’s validation process involves its validation agents doing their due diligence to ensure your identity is legitimate before issuing the certificate.
6. Retrieve the certificate from your email. Once the validation process is complete, the CA will email your certificate to you. You’ll need this small digital file for the next step.
7. Merge key with the certificate. Because your key is locked up tight in your key vault, you’ll need to merge the certificate with the key in Microsoft Azure.
8. Set up authorizations to use the certificate that’s stored in Azure Key Vault. You must assign an app or service permissions to use your Azure Key Vault code signing certificate and private key. There are several mechanisms of authorization that can be used to achieve this essential task. (NOTE: Assigning permissions doesn’t allow the service to access the key in AKV directly; it can just use the key for authorized cryptographic operations.)
9. Set up authentication permissions and a client secret. (NOTE: Write down your chosen password and store it in a secure location, as you won’t be able to access it later.)

What if you want to configure Azure Key Vault access for signing in Visual Studio? You can add a service dependency in Visual Studio’s Solutions Explorer window. Choose Add > Connected Service, select the + icon under Service Dependencies, and complete the requested info in the follow the prompts:

Image caption: A screenshot from within Visual Studio that shows how to select Azure Key Vault.

Once these steps are complete, you can start signing your software apps, scripts, and other types of code!

Want to read more about Azure Key Vault code signing? We’ve got you covered…