Quickstart: Set up Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end certificate signing service. In this quickstart, you create the following three Trusted Signing resources to begin using Trusted Signing:
- A Trusted Signing account
- An identity validation
- A certificate profile
You can use either the Azure portal or an Azure CLI extension to create and manage most of your Trusted Signing resources. (You can complete identity validation only in the Azure portal. You can't complete identity validation by using the Azure CLI.) This quickstart shows you how.
Prerequisites
To complete this quickstart, you need:
A Microsoft Entra tenant ID.
For more information, see Create a Microsoft Entra tenant.
An Azure subscription.
If you don't already have one, see Create an Azure subscription before you begin.
Register the Trusted Signing resource provider
Before you use Trusted Signing, you must register the Trusted Signing resource provider.
A resource provider is a service that supplies Azure resources. Use the Azure portal or the Azure CLI to register the Microsoft.CodeSigning Trusted Signing resource provider.
To register a Trusted Signing resource provider by using the Azure portal:
Sign in to the Azure portal.
In either the search box or under All services, select Subscriptions.
Select the subscription where you want to create Trusted Signing resources.
On the resource menu under Settings, select Resource providers.
In the list of resource providers, select Microsoft.CodeSigning.
By default, the resource provider status is NotRegistered.
Select the ellipsis, and then select Register.
The status of the resource provider changes to Registered.
Create a Trusted Signing account
A Trusted Signing account is a logical container that holds identity validation and certificate profile resources.
Azure regions that support Trusted Signing
You can create Trusted Signing resources only in Azure regions where the service is currently available. The following table lists the Azure regions that currently support Trusted Signing resources:
| Region | Region class fields | Endpoint URI value |
|---|---|---|
| East US | EastUS | https://eus.codesigning.azure.net |
| West US | WestUS | https://wus.codesigning.azure.net |
| West Central US | WestCentralUS | https://wcus.codesigning.azure.net |
| West US 2 | WestUS2 | https://wus2.codesigning.azure.net |
| North Europe | NorthEurope | https://neu.codesigning.azure.net |
| West Europe | WestEurope | https://weu.codesigning.azure.net |
Naming constraints for Trusted Signing accounts
Trusted Signing account names have some constraints.
A Trusted Signing account name must:
- Contain from 3 to 24 alphanumeric characters.
- Be globally unique.
- Begin with a letter.
- End with a letter or number.
- Not contain consecutive hyphens.
A Trusted Signing account name is:
- Not case-sensitive (ABC is the same as abc).
- Rejected by Azure Resource Manager if it begins with "one".
To create a Trusted Signing account by using the Azure portal:
Sign in to the Azure portal.
Search for and then select Trusted Signing Accounts.
On the Trusted Signing Accounts pane, select Create.
For Subscription, select your Azure subscription.
For Resource group, select Create new, and then enter a resource group name.
For Account name, enter a unique account name.
For more information, see Naming constraints for Trusted Signing accounts.
For Region, select an Azure region that supports Trusted Signing.
For Pricing, select a pricing tier.
Select the Review + Create button.
After you successfully create your Trusted Signing account, select Go to resource.
Create an identity validation request
You can complete your own identity validation by filling in the request form with the information that must be included in the certificate. Identity validation can be completed only in the Azure portal. You can't complete identity validation by using the Azure CLI.
Note
You can't create an identity validation request if you aren't assigned the appropriate role. If the New identity button on the menu bar appears dimmed in the Azure portal, ensure that you are assigned the Trusted Signing Identity Verifier roler to proceed with identity validation.
To create an identity validation request:
In the Azure portal, go to your new Trusted Signing account.
Confirm that you're assigned the Trusted Signing Identity Verifier role.
To learn how to manage access by using role-based access control (RBAC), see Tutorial: Assign roles in Trusted Signing.
On the Trusted Signing account Overview pane or on the resource menu under Objects, select Identity validations.
Select New identity, and then select either Public or Private.
- Public identity validation applies only to these certificate profile types: Public Trust, Public Trust Test, VBS Enclave.
- Private identity validation applies only to these certificate profile types: Private Trust, Private Trust CI Policy.
On New identity validation, provide the following information:
Fields Details Organization Name For public identity validation, provide the legal business entity to which the certificate will be issued. For private identity validation, the value defaults to your Microsoft Entra tenant name. (Private Identity Type only) Organizational Unit Enter the relevant information. Website url Enter the primary website that belongs to the legal business entity. Primary Email Enter the organization’s primary email address. A verification link is sent to this email address to verify the email address. Ensure that the email address can receive emails from external email addresses that have links. The verification link expires in seven days. Secondary Email This email address must be different from the primary email address. For organizations, the domain must match the email address that's provided in the primary email address. Ensure that the email address can receive emails from external email addresses that have links. Business Identifier Enter a business identifier for the legal business entity. Seller ID Applies only to Microsoft Store customers. Find your Seller ID in the Partner Center portal. Street, City, Country, State, Postal code Enter the business address of the legal business entity. Select Certificate subject preview to see the preview of the information that appears in the certificate.
Select I accept Microsoft terms of use for trusted signing services. You can download the Terms of Use to review or save them.
Select the Create button.
When the request is successfully created, the identity validation request status changes to In Progress.
If more documents are required, an email is sent and the request status changes to Action Required.
When the identity validation process is finished, the request status changes, and an email is sent with the updated status of the request:
- Completed if the process is completed successfully.
- Failed if the process isn't completed successfully.
Important information for public identity validation
| Requirements | Details |
|---|---|
| Onboarding | Trusted Signing at this time can onboard only legal business entities that have verifiable tax history of three or more years. For a quicker onboarding process, ensure that public records for the legal business entity that you're validated are up to date. |
| Accuracy | Ensure that you provide the correct information for public identity validation. If you need to make any changes after it is created, you must complete a new identity validation request. This change affects the associated certificates that are being used for signing. |
| More documentation | If we need more documentation to process the identity validation request, you're notified through email. You can upload the documents in the Azure portal. The documentation request email contains information about file size requirements. Ensure that any documents you provide are the most current. |
| Failed email verification | If email verification fails, you must initiate a new identity validation request. |
| Identity validation status | You're notified through email when there's an update to the identity validation status. You can also check the status in the Azure portal at any time. |
| Processing time | Processing your identity validation request takes from 1 to 7 business days (possibly longer if we need to request more documentation from you). |
Create a certificate profile
A certificate profile resource is the logical container of the certificates that are issued to you for signing.
Naming constraints for certificate profiles
Certificate profile names have some constraints.
A certificate profile name must:
- Contain from 5 to 100 alphanumeric characters.
- Begin with a letter, end with a letter or number, and not contain consecutive hyphens.
- Be unique within the account.
A certificate profile name is:
- In the same Azure region as the account, by default inheritance.
- Not case-sensitive (ABC is the same as abc).
To create a certificate profile in the Azure portal:
In the Azure portal, go to your new Trusted Signing account.
On the Trusted Signing account Overview pane or on the resource menu under Objects, select Certificate profiles.
On the command bar, select Create and select a certificate profile type.
On Create certificate profile, provide the following information:
For Certificate Profile Name, enter a unique name.
For more information, see Naming constraints for certificate profiles.
The value for Certificate Type is autopopulated based on the certificate profile type you selected.
For Verified CN and O, select an identity validation that must be displayed on the certificate.
- If the street address must be displayed on the certificate, select the Include street address checkbox.
- If the postal code must be displayed on the certificate, select the Include postal code checkbox.
The values for the remaining fields are autopopulated based on your selection for Verified CN and O.
A generated Certificate Subject Preview shows the preview of the certificate that will be issued.
Select Create.
Clean up resources
To delete Trusted Signing resources by using the Azure portal:
Delete a certificate profile
- In the Azure portal, go to your Trusted Signing account.
- On the Trusted Signing account Overview pane or on the resource menu under Objects, select Certificate profiles.
- On Certificate profiles, select the certificate profile that you want to delete.
- On the command bar, select Delete.
Note
This action stops any signing that's associated with the certificate profile.
Delete a Trusted Signing account
- Sign in to the Azure portal.
- In the search box, enter and then select Trusted Signing Accounts.
- On Trusted Signing Accounts, select the Trusted Signing account that you want to delete.
- On the command bar, select Delete.
Note
This action removes all certificate profiles that are linked to this account. Any signing processes that are associated with the certificate profiles stops.
Related content
In this quickstart, you created a Trusted Signing account, an identity validation request, and a certificate profile. To learn more about Trusted Signing and to start your signing journey, see these articles:
- Learn more about signing integrations.
- Learn more about the trust models that Trusted Signing supports.
- Learn more about certificate management.
- Need assistance with your setup:
- Reach out via Azure Support through Azure portal.
- Post your query on Stack Overflow or Microsoft Q&A, use the tag: trusted-signing.
- Identity Validation issues can only be addressed with Stack Overflow or Microsoft Q&A.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for