Help storing a HSM protected code signing certificate in Azure Key Vault

Question

Help storing a HSM protected code signing certificate in Azure Key Vault

Mark Bewley 51

If you use a code signing certificate then you are likely aware of the more recent stringent requirement for private key storage.

I was looking at how to store this in Azure Key Vault.

To achieve this, I needed to upgrade to Azure Key Vault Premium SKU.

There is no method, via the Azure Portal, to change pricing tier. It can be done via PowerShell.

Mark Bewley 51 Reputation points

2025-04-01T22:34:17.33+00:00

Don't create an Azure Managed HSM. This is an always on 24/7 service and is charged at several USD $ per hour, from the moment it is provisioned, so costs can quickly mount. There is only one SKU available; the name "Standard B1" sounds benign.
Mark Bewley 51 Reputation points

2025-04-01T22:39:38.5666667+00:00

@Raja Pothuraju Created my own post. Not really a question, but trying to capture my experience, so others might not make the same mistake. Had to format it such that it didn't violate the automated Q&A Code of Conduct checker.

Accepted answer

0 additional answers

Your answer

Mark Bewley 51 Reputation points

2025-04-01T22:34:17.33+00:00

Don't create an Azure Managed HSM. This is an always on 24/7 service and is charged at several USD $ per hour, from the moment it is provisioned, so costs can quickly mount. There is only one SKU available; the name "Standard B1" sounds benign.
Mark Bewley 51 Reputation points

2025-04-01T22:39:38.5666667+00:00

@Raja Pothuraju Created my own post. Not really a question, but trying to capture my experience, so others might not make the same mistake. Had to format it such that it didn't violate the automated Q&A Code of Conduct checker.

Answer 1

Navya 20,180 Microsoft External Staff Moderator

Hi @Mark Bewley

Thank you for sharing your experience! It’s really helpful for others who might be facing the same challenge. We’re glad to hear that your issue with upgrading to the Azure Key Vault Premium SKU was resolved using PowerShell.

Regarding the Azure Managed HSM, you’re absolutely right about the costs associated with it being an always-on service. It’s always a good idea to weigh the costs against the specific requirements of your use case.

We appreciate you providing this feedback, and we are sure it will be useful for others in the community.

Mark Bewley 51 Reputation points

2025-04-01T23:45:46.51+00:00

Hi Navya (I can't find you to @ mention),

Thanks for your quick and positive response to my post.

The bigger issue I currently have is I made the mistake of turning on the purge protection when creating the Azure Managed HSM - it made sense to protect accidental deletion of keys, until you realise you didn't need it and the costs therein - looking a significant bill until it gets purged.

https://learn.microsoft.com/en-us/answers/questions/2203159/need-soft-deleted-managed-hsm-purged-asap

The pricing page, https://azure.microsoft.com/en-gb/pricing/details/key-vault/, didn't necessarily make it clear to me. Yes, the Hourly usage fee per HSM pool is given but I didn't read this as the usage as being 24/7.

Once the actual spend was discovered, we have since found some online documents and forum posts that have highlighted this always on usage.

Just recently opened support case to see if anything can be done; but early days of processing this.
Navya 20,180 Reputation points Microsoft External Staff Moderator

2025-04-02T18:54:39.0233333+00:00

Hi @Mark Bewley

Thank you for sharing the additional details, and we appreciate your proactive approach in reaching out for support.

In the future, if you have any queries regarding pricing tiers or service details, we recommend reaching out to our sales team to ensure you have all the information you need. You can find the chat option at the bottom of the pricing page for any inquiries.

Additionally, once you receive a resolution through your support ticket, we’d greatly appreciate it if you could share the outcome in the comments section. This could help others in the community facing similar concerns
Mark Bewley 51 Reputation points

2025-04-07T11:25:38.7466667+00:00

As an update, on our specific journey - as this resource is linked to an Azure Sponsorship subscription, there is nothing we can do until that sponsorship is exhausted. (This is a Microsoft policy)

At this rate, we will start occurring billing charges in about 12 days.
Navya 20,180 Reputation points Microsoft External Staff Moderator

2025-04-07T20:33:30.8233333+00:00

Hi @Mark Bewley

Thank you for sharing the update here. It will help other community members who have the same concerns.

Share via

Help storing a HSM protected code signing certificate in Azure Key Vault

0 additional answers

Your answer