CSR generation in AzDo pipeline with private key in keyvault

Question

Hi Team,

I have a requirement to generate a CSR within azure devops pipeline under a task, and that CSR to be signed by private key which is generated in azure key vault keys.

I have used openssl to accomplish this , but it is still considered a security threat as we generate the private key and CSR with openssl as an azure bash task , and then for azure cli task import the key in keyvault.

This idea is not fully secure as private key is generated outside the vault.

We need to generate the private key in vault, generate a CSR (signed csr) and then we are to use the CSR to request certificates from our recognised and authorised CA with our API calls.

How can i achieve this? and if there is way to be able to achieve this.

Help would be appreciated as I am struggling to come to a solution that suffices the requirements.