SSL.com

Generate a CSR and Install a Certificate in Microsoft Azure Key Vault

Announcement: Starting June 1, 2023, SSL.com’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will only be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys. The previous rule allowed OV and IV code signing certificates to be generated as downloadable PFX files. Since the new requirements only allow the use of encrypted USB tokens or cloud-based FIPS compliant hardware appliances to store the certificate and private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced. Click this link to learn more about SSL.com eSigner.

Time needed: 1 hour

These instructions will show you how to generate a certificate signing request (CSR) and install a certificate from SSL.com in Microsoft Azure Key Vault. You will need to create a Key Vault in your Azure account before using this how-to.

  1. Select Key Vault.

    Sign into the Azure portal and select the key vault where you wish to install your certificate.
    Select key vault

  2. Open certificate settings.

    Select Certificates in the right-hand Settings menu.

  3. Begin CSR generation.

    Click the Generate/Import button to open the Create a certificate window.

  4. Enter certificate details.

    Enter or select the following details in the Create a certificate form fields:

    • Method of Certificate Creation: select Generate
    • Certificate Name: Enter a unique name for your certificate
    • Type of Certificate Authority (CA): Select Certificate issued by a non-integrated CA
    • Subject: Enter the X.500 Distinguished Name for your certificate. For an SSL/TLS certificate this would be something like CN=example.com. For OV code signing, you can enter something like CN=Firstname Lastname,OU=Operations,O=Company Name,C=US. For individual validation, you can enter your name as the common name, e.g. CN=Firstname Lastname.
    • DNS Names: Add any additional domain names that should be added to an SSL/TLS certificate (e.g. secure.example.com, etc.).
    • Validity Period: You can leave this at the default setting of 12 months. For code signing certificates with longer validity periods, your issued certificate will be based on your order, not the CSR.
    • Content Type: select PEM
    • Lifetime Action Type: Here you can configure Azure to send email alerts at a certain percentage of certificate lifetime or days before expiry.

  5. Advanced Policy Configuration

    Click Advanced Policy Configuration to set the key size, type, and policies for key reuse and exportability. If you want to generate an HSM-protected key, set Exportable Private Key to No and choose RSA-HSM or EC-HSM. For certificates issued by SSL.com, you can leave Extended Key Usages (EKUs) and X.509 Key Usage Flags and Enable Certificate Transparency at their default values, and Certificate Type blank. When you are finished setting the Advanced Policy Configuration, click the OK button.

  6. Generate CSR.

    Click the Create button to generate your new key pair and CSR.

  7. Select certificate.

    Locate your certificate in the list of in progress, failed or cancelled certificates and click it.

  8. Click Certificate Operation.

    Click the Certificate Operation button.

  9. Download CSR.

    Click the Download CSR button and download your CSR file.

  10. Open CSR.

    Open your CSR in a text editor so you can copy and paste it when ordering.

  11. Order and retrieve certificate.

    Order a certificate from SSL.com (or reprocess an existing order). When ordering or generating your certificate, use the CSR you downloaded from Azure.

  12. Select certificate in Key Vault.

    Return to Key Vault and select your certificate’s name in the Certificates settings.

  13. Click Certificate Operation.

    Click the Certificate Operation button.

  14. Merge Signed Request.

    Click the Merge Signed Request button and navigate to the certificate you downloaded from SSL.com.

  15. Certificate merged.

    You should see notifications that your certificate request has been successfully merged.

  16. Finished!

    Your signed certificate is now installed in Key Vault and ready to use.

Next Steps

For more info on installing your certificate, read here. For help binding your certificate, read here.

Exit mobile version