hsmPlatform 1 keys retirement with existing key vault

Question

Hello, we current have an Azure 'key vault' containing a code sign certificate, I have checked the 'hsmPlatform' on the certificate and it is version 1.

The code sign certificate expires in 2027 and the 'hsmPlatform 1' retires in 2028.

So my question is, when we come to renew our certificate in 2027 if I was to install it into our existing 'key vault' would it pick up the hsmPlatform 2 attribute from this vault or do i need to create a new key vault to ensure it is operating with FIPS 140-3 Level 3 security and import our renewed certificate into this new vault?

Many thanks

Gary

Answer 1

New keys and new key versions in Azure Key Vault are now created on hsmPlatform 2 automatically. The hsmPlatform is an attribute of each key version, not of the vault itself.

When the existing HSM-backed key is renewed (creating a new key version) in the current key vault, that new version will be protected by hsmPlatform 2 and therefore benefit from FIPS 140-3 Level 3 HSMs, even though older versions were on hsmPlatform 1.

A new key vault is not required solely to move from hsmPlatform 1 to hsmPlatform 2 protection for new key material. Creating a new vault is only necessary in specific BYOK/Rights Management scenarios where the documentation explicitly instructs to do so.

To confirm the platform for any key version, use the hsmPlatform attribute as described in the documentation and verify that new versions show 2 or higher.

---

References:

• About keys
• Bring your own key for the Azure Rights Management service root key