EV Code Signing with Azure KeyVault and Azure Pipelines - How To

JamesTran-MSFT 36,361 Reputation points Microsoft Employee
2022-02-11T16:58:40.007+00:00

What's the EV Code Signing Certification Renewal Process with Azure Key Vault and Azure Pipelines?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,102 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-02-11T22:25:52.39+00:00

    Please keep in mind - KV Team update:

    Azure Key Vault is a certificate enrollment tool. You can create the CSR and submit it to the CA. It is on the CA to accept or reject it. In that sense, there is nothing stopping you from doing Code Signing cert from AKV. EV needs to meet industry requirements and it is on the CA to assess that those standards are met.

    You can follow the EV Code Signing Certification Renewal Process by following this PDF - EV Code Signing with Azure KeyVault and Azure Pipelines.pdf

    Gabriel Michaud - EV Code Signing with Azure KeyVault and Azure Pipelines

    Step 1 - Create the certificate in Azure Key Vault
    Step 2 - Download CSR (Certificate Request File)
    Step 3 - Order certificate from DigiCert - Minimum key size allowed by the CA/B forum is 3072 currently
    Step 4a - Validation Process
    Step 4b - Audit Letter
    Step 5 - Importing the Key into the Azure Key Vault (Merging the certificate signing request)
    Step 6 - Modifying build script and pipeline to use the new key

    Additional Links:
    Are EV code signing certificates supported for key vault storage and reference in ci/cd pipelines?
    EnhancedKeyUsage (EKU) in the CSR request for a code signing cert
    PG Comments

    Thank you for your time and patience throughout this issue.

    4 people found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2022-02-11T17:21:16.71+00:00

    Please keep in mind - KV Team update:

    Azure Key Vault is a certificate enrollment tool. You can create the CSR and submit it to the CA. It is on the CA to accept or reject it. In that sense, there is nothing stopping you from doing Code Signing cert from AKV. EV needs to meet industry requirements and it is on the CA to assess that those standards are met.

    You can follow the EV Code Signing Certification Renewal Process by following this PDF - EV Code Signing with Azure KeyVault and Azure Pipelines.pdf

    Gabriel Michaud - EV Code Signing with Azure KeyVault and Azure Pipelines

    Step 1 - Create the certificate in Azure Key Vault
    Step 2 - Download CSR (Certificate Request File)
    Step 3 - Order certificate from DigiCert - Minimum key size allowed by the CA/B forum is 3072 currently
    Step 4a - Validation Process
    Step 4b - Audit Letter
    Step 5 - Importing the Key into the Azure Key Vault (Merging the certificate signing request)
    Step 6 - Modifying build script and pipeline to use the new key

    Additional Links:
    Are EV code signing certificates supported for key vault storage and reference in ci/cd pipelines?
    EnhancedKeyUsage (EKU) in the CSR request for a code signing cert
    PG Comments

    Thank you for your time and patience throughout this issue.

    0 comments No comments