Code Signing with Azure KeyVault -You are unauthorized to view these contents.

Question

Code Signing with Azure KeyVault -You are unauthorized to view these contents.

Maria Frederiksen 20

I have an Azure account, I have gone through all the steps for an app to Business Central, and now I need to Code Signing. I have made af KeyVault, but when I want to ad the Certificate, the menu +Generet/Import is gray, and the text say You are unauthorized to view these contents.

I have looked at the AccessControl (IAM), and I am Key Vault Administrator, Owner of Subscription, Rexssource group and This resource (MyApp).

At Access Policies I have Key Permissions, Secret Permissions, and Certificat Permissions.Certificat Permissions is set to All.

david_son12 0 Reputation points

2025-03-05T04:54:17.67+00:00

You need to create a resource, generate CSR, obtain a code signing certificate, and add it to Azure Keyvault! https://signmycode.com/resources/how-to-create-private-keys-csr-and-import-code-signing-certificate-in-azure-keyvault-hsm this will help you!
Maria Frederiksen 20 Reputation points

2025-03-05T09:23:37.4233333+00:00

Yes, and thanks. But it seemed that Key Vault isn't the way to sign a app-file when you can't use pfx.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-03-19T12:26:40.7466667+00:00
Hello Maria Frederiksen

When signing an app file, a common format for certificates is PFX (Personal Information Exchange), which contains both the public and private keys needed for signing. However, if you cannot use a PFX file, you might face some challenges.

Azure Key Vault is a service that helps you manage and protect cryptographic keys and secrets. While it can store and manage certificates, it does not directly support signing app files without a PFX file. This is because Key Vault is designed to work with keys and secrets, not to perform the actual signing process.

https://signmycode.com/resources/how-to-create-private-keys-csr-and-import-code-signing-certificate-in-azure-keyvault-hsm

To sign an app file without using a PFX file, you need to follow these steps:

Create a Resource: Set up the necessary resources in Azure.

Generate a Certificate Signing Request (CSR): This is a request for a certificate authority to issue a certificate.

Obtain a Code Signing Certificate: Acquire the certificate from a trusted certificate authority.

Add the Certificate to Azure Key Vault: Import the obtained certificate into Azure Key Vault.

https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-integrate-certificate-authority

For detailed instructions on how to create private keys, generate a CSR, and import a code signing certificate into Azure Key Vault, please refer to An external link was removed to protect your privacy..

If you have any questions or need further clarification on this topic, please feel free to ask. We are here to help and provide any additional information you may need.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-03-20T09:29:25.9433333+00:00

Hello @Maria Frederiksen,

Following up to see if the above suggestions were helpful and To sign an app file without a PFX, create a CSR and obtain a Code Signing Certificate from a trusted CA. Import the certificate into Azure Key Vault, and then use tools like SignTool to sign the app by downloading the certificate from Key Vault.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-03-20T10:08:09.2833333+00:00

Hello Maria Frederiksen

I wanted to follow up on my recent comment. If you have any questions or need further clarification on this topic, please feel free to ask. I am waiting for your response and would be happy to assist with any concerns you might have. Your feedback is important, so don't hesitate to reach out if anything is unclear or if you need more information. Thank you for your attention to this matter.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-03-21T12:45:47.8666667+00:00

Hello Maria Frederiksen,

Following up to see if the above suggestions were helpful. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise we will try to help.
Maria Frederiksen 20 Reputation points

2025-03-21T13:22:19.55+00:00

Azure wasn't the way to solve this problem. I finally got the permission correct, but Azure only work with .pfx-files.

At the end, I used SignTool and a speciel NAV-file, NAVSIP.dll, wich has to be a speciel version. Then I could use SignTool.

Solution:

Download https://developer.microsoft.com/da-dk/windows/downloads/windows-sdk/ and https://codesigningstore.com/how-to-download-and-install-windows-signtool-exe

Get NAVSIP.dll https://www.nuget.org/packages/Microsoft.Dynamics.BusinessCentral.Sip.Main

Run in PowerShell as administrator : regsvr32 /s c:*\NavSip.dll

Find Thumbprint on certificat

Run in PowerShell as administrator

C:\Program Files (x86)\Windows Kits\10\App Certification Kit> signtool sign /sha1 [your certificate thumbprint] /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n [Your Organization Name as Appears on Certificate] “:\path\to\fileToSign.app”

It take a couple of minuts, but be patience.

Then it works. It have take a lot of hours and a lot of people, who had tried to help. Thanks to all of you.

Accepted answer

0 additional answers

Your answer

david_son12 0 Reputation points

2025-03-05T04:54:17.67+00:00

You need to create a resource, generate CSR, obtain a code signing certificate, and add it to Azure Keyvault! https://signmycode.com/resources/how-to-create-private-keys-csr-and-import-code-signing-certificate-in-azure-keyvault-hsm this will help you!
Maria Frederiksen 20 Reputation points

2025-03-05T09:23:37.4233333+00:00

Yes, and thanks. But it seemed that Key Vault isn't the way to sign a app-file when you can't use pfx.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-03-19T12:26:40.7466667+00:00

Hello Maria Frederiksen

When signing an app file, a common format for certificates is PFX (Personal Information Exchange), which contains both the public and private keys needed for signing. However, if you cannot use a PFX file, you might face some challenges.

Azure Key Vault is a service that helps you manage and protect cryptographic keys and secrets. While it can store and manage certificates, it does not directly support signing app files without a PFX file. This is because Key Vault is designed to work with keys and secrets, not to perform the actual signing process.

https://signmycode.com/resources/how-to-create-private-keys-csr-and-import-code-signing-certificate-in-azure-keyvault-hsm

To sign an app file without using a PFX file, you need to follow these steps:

Create a Resource: Set up the necessary resources in Azure.

Generate a Certificate Signing Request (CSR): This is a request for a certificate authority to issue a certificate.

Obtain a Code Signing Certificate: Acquire the certificate from a trusted certificate authority.

Add the Certificate to Azure Key Vault: Import the obtained certificate into Azure Key Vault.

https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-integrate-certificate-authority

For detailed instructions on how to create private keys, generate a CSR, and import a code signing certificate into Azure Key Vault, please refer to An external link was removed to protect your privacy..

If you have any questions or need further clarification on this topic, please feel free to ask. We are here to help and provide any additional information you may need.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-03-20T09:29:25.9433333+00:00

Hello @Maria Frederiksen,

Following up to see if the above suggestions were helpful and To sign an app file without a PFX, create a CSR and obtain a Code Signing Certificate from a trusted CA. Import the certificate into Azure Key Vault, and then use tools like SignTool to sign the app by downloading the certificate from Key Vault.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-03-20T10:08:09.2833333+00:00

Hello Maria Frederiksen

I wanted to follow up on my recent comment. If you have any questions or need further clarification on this topic, please feel free to ask. I am waiting for your response and would be happy to assist with any concerns you might have. Your feedback is important, so don't hesitate to reach out if anything is unclear or if you need more information. Thank you for your attention to this matter.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-03-21T12:45:47.8666667+00:00

Hello Maria Frederiksen,

Following up to see if the above suggestions were helpful. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise we will try to help.
Maria Frederiksen 20 Reputation points

2025-03-21T13:22:19.55+00:00

Azure wasn't the way to solve this problem. I finally got the permission correct, but Azure only work with .pfx-files.

At the end, I used SignTool and a speciel NAV-file, NAVSIP.dll, wich has to be a speciel version. Then I could use SignTool.

Solution:

Download https://developer.microsoft.com/da-dk/windows/downloads/windows-sdk/ and https://codesigningstore.com/how-to-download-and-install-windows-signtool-exe

Get NAVSIP.dll https://www.nuget.org/packages/Microsoft.Dynamics.BusinessCentral.Sip.Main

Run in PowerShell as administrator : regsvr32 /s c:*\NavSip.dll

Find Thumbprint on certificat

Run in PowerShell as administrator

C:\Program Files (x86)\Windows Kits\10\App Certification Kit> signtool sign /sha1 [your certificate thumbprint] /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n [Your Organization Name as Appears on Certificate] “:\path\to\fileToSign.app”

It take a couple of minuts, but be patience.

Then it works. It have take a lot of hours and a lot of people, who had tried to help. Thanks to all of you.

Answer 1

Hi @Maria Frederiksen,

Thanks for your reply.

Azure only accepts .pfx files for certificates. Use NAVSIP.dll (special version) to use SignTool.

Register NAVSIP.dll using PowerShell (as admin):


regsvr32 /s c:*\NavSip.dll

Find the certificate thumbprint and Sign the file using SignTool in PowerShell (as admin):


signtool sign /sha1 [your certificate thumbprint] /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n [Your Organization Name] "path\to\fileToSign.app"

I'm glad that you were able to identify your issue.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Issue : Unable to perform code Signing in Azure Key Vault.

Please click "Accept my answer" if the provided information is helpful. This will assist other community members facing similar issues in finding the correct solution.

Share via

Code Signing with Azure KeyVault -You are unauthorized to view these contents.

0 additional answers

Your answer