question

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT asked MarileeTurscak-MSFT answered

EV Code Signing with Azure KeyVault and Azure Pipelines - How To

What's the EV Code Signing Certification Renewal Process with Azure Key Vault and Azure Pipelines?

azure-key-vault
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

MarileeTurscak-MSFT avatar image
2 Votes"
MarileeTurscak-MSFT answered

Please keep in mind - KV Team update:

Azure Key Vault is a certificate enrollment tool. You can create the CSR and submit it to the CA. It is on the CA to accept or reject it. In that sense, there is nothing stopping you from doing Code Signing cert from AKV. EV needs to meet industry requirements and it is on the CA to assess that those standards are met.

You can follow the EV Code Signing Certification Renewal Process by following this PDF - EV Code Signing with Azure KeyVault and Azure Pipelines.pdf


Gabriel Michaud - EV Code Signing with Azure KeyVault and Azure Pipelines

Step 1 - Create the certificate in Azure Key Vault
Step 2 - Download CSR (Certificate Request File)
Step 3 - Order certificate from DigiCert - Minimum key size allowed by the CA/B forum is 3072 currently
Step 4a - Validation Process
Step 4b - Audit Letter
Step 5 - Importing the Key into the Azure Key Vault (Merging the certificate signing request)
Step 6 - Modifying build script and pipeline to use the new key


Additional Links:
Are EV code signing certificates supported for key vault storage and reference in ci/cd pipelines?
EnhancedKeyUsage (EKU) in the CSR request for a code signing cert
PG Comments


Thank you for your time and patience throughout this issue.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT edited

Please keep in mind - KV Team update:

Azure Key Vault is a certificate enrollment tool. You can create the CSR and submit it to the CA. It is on the CA to accept or reject it. In that sense, there is nothing stopping you from doing Code Signing cert from AKV. EV needs to meet industry requirements and it is on the CA to assess that those standards are met.

You can follow the EV Code Signing Certification Renewal Process by following this PDF - EV Code Signing with Azure KeyVault and Azure Pipelines.pdf


Gabriel Michaud - EV Code Signing with Azure KeyVault and Azure Pipelines

Step 1 - Create the certificate in Azure Key Vault
Step 2 - Download CSR (Certificate Request File)
Step 3 - Order certificate from DigiCert - Minimum key size allowed by the CA/B forum is 3072 currently
Step 4a - Validation Process
Step 4b - Audit Letter
Step 5 - Importing the Key into the Azure Key Vault (Merging the certificate signing request)
Step 6 - Modifying build script and pipeline to use the new key


Additional Links:
Are EV code signing certificates supported for key vault storage and reference in ci/cd pipelines?
EnhancedKeyUsage (EKU) in the CSR request for a code signing cert
PG Comments


Thank you for your time and patience throughout this issue.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.