We use Advanced Installer and at the moment we sign the .exe and installer package with a Standard Code Sign Certificate for token using a Safenet USB token. We want to move to the cloud and use Azure Key Vault there. Azure Key Vault needs a HSM certificate and we need to buy a new one. Is it possible to switch from token to HSM and will the old deployed Windows Services signed with the token certificate accept new update packages signed with the new HSM certificate?
As far as I understand it, the private key is stored on the usb token and we can't get it, so HSM will use a new private key?
We use GlobalSign certificates.
There should be no problem if you switch to a new certificate.
The only case you should be aware of is if you use the Install only digitally signed update packages signed with the same certificate as the Updater option from the Updater view of your setup project. Check this article.
When you use the Updater feature with this option enabled you should make sure that the new certificate has exactly the same subject as your old one.