Share via

Generating CSR in Azure HSM

michal 191 Reputation points
2023-06-16T13:01:53.2466667+00:00

Hi all,

I have received a request to generate a CSR as per the requirements below:

In the production environment, a CSR must be generated using a FIPS 140-2 level 2 compliant Hardware Security Module (HSM) such as Azure KV HSM, Amazon CloudHSM, GoogleCloudHSM (this is not an exhaustive list).

To create a valid authentication profile:

Generate your public key and private key pair in PKCS #8 format

In the simulation environment, you can utilise open source tools to store your private key. In the production environment, you must use a physical or virtual HSM solution to store your private key (see HSM requirements above)

Generate your Certificate Signing Request (CSR) in PKCS #10 format which contains your certificate and public key

Save your CSR as a .csr file

Now, I have never been good with certificates and all the stuff around that.... but as we use Azure, I've thought it would be quite straight forward so I decided to explore  "Azure KV HSM"

... I have managed to create a KEY in KV HSM but not sure what would be the next step..... The key generated in the vault allows me to download a "public key" in PEM format so I just cannot figure out how to get a CSR that I could then upload to the required web app as per the steps above... so I got stuck at point 3

spend hours and hours on researching to achieve the required above... but just cant figure it out...

Any help would be great :)

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,448 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. michal 191 Reputation points
    2023-06-16T21:19:43.5366667+00:00

    Update:

    ...so as I'm doing more research, looks like I didn't have to create "Azure Key Vault Managed HSMs" and looks like I can use standard Azure KV and generate a key as "RSA-HSM" type... that as I've found on MS sites, it is a "FIPS 140-2 Level 2" compliant when using a Premium SKU of KV...

    but again.... How can I generate a CSR if I can download only public key from the RSA-HSM key? All guides I've found that describes - e.g. opnessl to create CSR - requires a private key as a parameter when running a command to generate a CSR.... :/

    0 comments
  2. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-06-20T00:11:45.79+00:00

    Hi @michal ,

    Thanks for your post!

    When an applicant wants to create a certificate, it creates a keypair (Public and private key mathematically related) and a CSR on the host, where the private never leaves the host boundaries. When you create the CSR on Azure Key Vault, the private key is created on AKV and never leaves the AKV. It stays there to be merged with the Signed request and its original public key. When you download the CSR, you download the CSR + public key to later on be merged with the AKV stored private key.

    There are two options to create certificate in AKV. The first option is for non-integrated CAs where you create the CSR in AKV and AKV holds the private key. With this option, you may only merge the same key pair.

    The second option is to completely generate the keypair + CSR + Signed cert out of KV and then, simply use the "Import" option on AKV.

    If you create the CSR and submit it to the CA, it is on the CA to accept or reject it.

    Additional resources:

    Sign a CSR with Azure Key Vault

    Can I create a CSR from Azure Key Vault?

    Introducing Azure Key Vault and Managed HSM Engine: An Open-Source Project

    Let me know if this helped and if you have further questions.

    If the information helped direct you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.