We ordered a new code signing certificate and got the private key on a USB based "hardware token" - this is compatible with the new code signing certificate rules, but that limits access to one physical PC. We do want the certificate to be in Azure Key Vault usable from our build agents (using azuresigntool).
Our vendor said that they will in the future allow download the private key to FIPS devices, but not yet.
Are there any providers out there that issue code signing certificates that we can install into Azure Key Vault, given the new FIPS requirements for code signing certificates. (PFX files is no longer allowed for code signing certificates)
I need a provider and hopefully a step by step way of getting the certificate into Azure Key Vault.
digicert.com and globalsign.com both in theory offer this. DigiCert was faster to get past validation for me so I ended up going with them.
The instructions that DigiCert gave me over chat to get the certificate ordered are below. After the validation process is completed, it will give you the option to download the certification that you will have to merge back into the Azure Key Vault request to finish the process.
DigiCert + AzureKeyVault as HSM Instructions On the Azure Side
To set up the Azure Key Vault please log in to your Azure Portal and click on the “Create a resource” button. Search for “Key Vault” and press create to get your vault up and running:
Please select the settings that fit your use case and create your Key Vault. Note: In order to be compliant with the FIPS 140-2 standard, you should select the “Premium” pricing tier. If you do not choose “Premium”, there’s a risk that your certificate will be revoked.
When your vault has been created, please select “Certificates” in the action bar to the left. Then click “Generate/Import” to start creating your Code Signing CSR:
Fill out your certificate name and subject name. The subject name should be your company name.
Set the Type of Certificate Authority to non-integrated CA and then select Advanced Policy Configuration:
In the Extended Key Usages (EKUs) field please add the following: 1.3.6.1.5.5.7.3.3 This EKU identifies the certificate as a Code Signing certificate. You should also set “Exportable Private Key” as No and the “Key Type” to RSA-HSM. Note: all Code Signing certificates from DigiCert are required to be issued with a minimum, 3072-bit key size.
When you have configured the policy, click “Okay” and then “Create”. The certificate will then appear as an “In progress” certificate under the Certificates tab:
Click on your certificate in progress. Choose “Certificate Operation” and then click “Download CSR”:
Save the CSR file in a safe location of your choosing.
Ordering the EV Code Signing certificate from your CertCentral dashboard For this, we have created the following document, to guide you on what is required for the successful enrollment of an EV Code Signing certificate. The document is named, Order an EV Code Signing certificate and can be viewed at the following link: https://docs.digicert.com/manage-certificates/code-signing-certificate/order-ev-code-signing-certificate/ Note: You have to select the provisioning option of, Install on HSM, during the enrollment process to get a certificate that will work, otherwise we will ship you a preconfigured hardware token that will not work with your Azure Setup.