I need to save my pfx certificates in an HSM

Question

I was investigating that Azure Key Vault uses HSM.
Add the following line to import my pfx certificate
await keyVaultClient.ImportCertificateAsync(azureKeyVaultsUri, namePFX, base64EncodedCertificate, Password);
my question is already imported with this already saved in an HSM?

Answer 1

@Ismael Ruvalcaba
Your secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The Azure Key Vault may be either software- or hardware-HSM protected and uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.

You can securely transfer a key from your on-premises HSM outside Azure, into the HSM backing Azure Key Vault. The process of importing a key generated outside Key Vault is generally referred to as Bring Your Own Key (BYOK).

Additional Links:
About Azure Key Vault certificates
Supported HSMs
Azure Dedicated HSM

Answer 2

I already do the saving "Certificate Management" I don't know if this is saved by software or by HSM.
The other problem I have is that they ask me to comply FIPS 140-2 Level 3.

Thank you very much for answering James

Answer 3

@IsmaelRuvalcaba-8837
Based off our documentation, the Azure Key Vault may be either software or hardware-HSM protected. From my understanding, If you're generating certificates, keys, etc., within an on-prem HSM, you have the option of bringing it into Azure (BYOK) without having it never leave the HSM boundary (hardware-HSM protected). If you're solely generating new certificates, secrets, or keys through the the Azure Portal, this would be software HSM protected.

If you have a requirement to comply with FIPS 140-2 Level 3, we do have an Azure Dedicated HSM feature.

Hopefully this helps!

Additional Link:
FIPS 140-2