Setting up Trust Signing in Dev/Test subscription

Question

Setting up Trust Signing in Dev/Test subscription

Thai K. Nguyen 0

We would like to test this new service. We have used the private identity type successfully, but am unable to validate the public identify in our Dev/Test subscription.

We probably would request guidance on how an enterprise can manage multiple Trust Signing accounts (e.g. perhaps for different departments), as well as different public certs for perhaps testing purposes.

Do we have 1 public identity across all of our subscriptions/signing accounts, but have each cert scoped appropriately? For example, these could be different public certs?

products.tungstenautomation.com
tungstenautomation.com
ps.tungstenautomation.com
test.tungstenautomation.com

If possible, can we get advice on how this is managed for large enterprises?

Thx

Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-12-11T06:51:18.2266667+00:00

Hello @Thai K. Nguyen,

Thank you for posting your query on Microsoft Q&A.

I am reviewing this and will provide further input shortly.

2 answers

Your answer

Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-12-11T06:51:18.2266667+00:00

Hello @Thai K. Nguyen,

Thank you for posting your query on Microsoft Q&A.

I am reviewing this and will provide further input shortly.

Answer 1

Givary-MSFT 35,621 Microsoft Employee Moderator

@Thai K. Nguyen Thank you for reaching out to us, from what I understand, you are having trouble validating the public identity in your Dev/Test subscription and would like guidance on how to manage multiple Trust Signing accounts and public certificates for different departments.

To answer your first question, it is possible to have one public identity across all of your subscriptions and signing accounts, but with each certificate scoped appropriately. This means that you can have different public certificates for testing purposes, but they would still be associated with the same public identity.

As for managing multiple Trust Signing accounts for different departments, it is recommended to have a centralized team or group responsible for managing the accounts and certificates. This team can then delegate access to the appropriate departments as needed.

For large enterprises, it is important to have a clear and organized system for managing Trust Signing accounts and certificates. This can include having a naming convention for the accounts and certificates, as well as keeping track of who has access to each account and certificate.

Review Certificate profiles section in this doc for type of profiles subscriber can associate with.

Let me know if this information helps regarding your ask, if not will reach out to our product group for more clarity on the same.

Thai K. Nguyen 0 Reputation points

2024-12-12T04:16:21.51+00:00

Thank you for the details. I will research further but also had another related question. It seems like other Vendors (e.g. Digicert) has concept of production certificate and test certificates,and only charge for production signing. Is there such a concept for this with Azure Code Signing? If so, can you provide some information about it, including cost differences, and any other technical details?
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-12-12T04:32:54.5733333+00:00

@Thai K. Nguyen Thank you for your response. Regarding this query, I'll check with my team to confirm if we have the concept of production and test certificates.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-12-12T09:46:02.06+00:00

@Thai K. Nguyen Got the following update from my team on the above mentioned ask - For Trusted Signing, we do have Public Trust test certificates besides Public Trust certificates. However, we don't have an option of free signing. There's a set # of signatures available with both the SKUs, before we start charging for each new signature.

Let me know if you have any further questions or feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-12-13T06:40:20.9033333+00:00

@Thai K. Nguyen Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

Hi @Thai K. Nguyen

Thank you for reaching out. I see you're having problems with validating a public identity. Are you running into this problem during the identity validation process? There is information the vetting team must collect and validate in order to approve your account for a public identity. If you're stuck there, I can look into that for you.

In regard to your question about how an enterprise would manage multiple Trusted Signing accounts, you can make multiple Trusted Signing accounts for the same entity, and they can be within the same subscription or different subscriptions (If they are under different subscription, you will need to do identity validation again).

Within one Trusted Signing account, you can create different certificate profiles. Here is more information on the certificate profile feature. The certificate profile feature allows you to create different certificate types like in your example. Certificate profiles can be associated with the respective identity and are limited to the SKU selected for each account.

Depending on your organizational needs, you can use different certificate profiles, different Trusted Signing accounts, or different Azure subscriptions to manage different use cases across departments.

Please let me know if you need any more information. Thank you.

Best,

Annie

Share via

Setting up Trust Signing in Dev/Test subscription

2 answers

Your answer