Support Desk

  1. Support Desk
  2. Knowledge Base

How to Use Azure Key Vault with a DigiCert Code Signing Certificate


This guide walks you through:

  1. Generating a code signing CSR in Azure Key Vault (AKV)
  2. Ordering a DigiCert Code Signing Certificate from GeoCerts
  3. Merging the issued certificate back into Azure Key Vault for secure signing
Step 1: Generate a CSR in Azure Key Vault

A. Create or Use an Existing Key Vault

  1. In the Azure Portal, go to Key Vaults > + Create.
  2. Make sure to select the Premium pricing tier (required for HSM-backed keys).
  3. Once created, go to the vault and assign yourself the Key Vault Administrator role via Access Control (IAM).
B. Generate a Certificate Placeholder and CSR

  1. Inside your Key Vault, go to Certificates > + Generate/Import > Generate.
  2. Configure as follows:
    • Method: Certificate issued by a non-integrated CA
    • Name: (e.g., MyCodeSignCert)
    • Subject: CN=Your Organization Name
    • Content Type: PKCS #12
  3. Expand Advanced Policy Configuration:
    • Key Type: RSA-HSM
    • Key Size: 3072 or 4096
    • Exportable: No
    • Enhanced Key Usage (EKU): Add 1.3.6.1.5.5.7.3.3 (Code Signing)
  4. Click Create.
C. Download the CSR

  1. Once the certificate operation is in a “Pending” state, select the certificate.
  2. Go to Certificate Operation > Download CSR.
  3. Save this .csr file to your local machine — you’ll need it for the GeoCerts order.
Step 2: Order a DigiCert Code Signing Certificate from GeoCerts

  1. Go to your GeoCerts account, and click New Certificate.
  2. Choose either:
    • OV Code Signing Certificate, or
    • EV Code Signing Certificate
  3. Paste in the CSR you downloaded from Azure Key Vault.
  4. Complete the order and submit.
Step 3: Wait for Issuance and Download the Certificate

  1. Once the certificate is issued, GeoCerts will notify you.
  2. Log in to your GeoCerts account and click your certificate’s Order ID.
  3. Click Download Certificate Files.
  4. Select the file format:
    • Recommended: PKCS #7 (.p7b) bundle — includes the leaf certificate and intermediate chain.
Step 4: Merge the Certificate into Azure Key Vault

  1. Return to Azure Key Vault > Certificates > your pending certificate.
  2. Under Certificate Operation, choose Merge Signed Request.
  3. Upload the .p7b file (or a single PEM/CRT file containing the full chain).
  4. Click Merge to complete the process.
⚠️ Do not delete or regenerate the original certificate placeholder. The merge must happen on the exact certificate object that generated the CSR, or the private key will not match.
Optional: Sign Code Using AzureSignTool

Once merged, the certificate is ready for secure code signing with an HSM-backed private key. Here’s a sample command using AzureSignTool:

AzureSignTool sign \
  -kvu https://<your-vault-name>.vault.azure.net/ \
  -kvc MyCodeSignCert \
  -kvi <client-id> \
  -kvs <client-secret> \
  -kvt <tenant-id> \
  -tr http://timestamp.digicert.com \
  -v yourApp.exe
Pro Tips

  • Premium Key Vault + RSA-HSM + non-exportable is required for EV compliance.
  • The merge must happen on the same Key Vault cert object that generated the CSR.
  • Always use a full chain (P7B or concatenated PEM) for merging into AKV.
  • Do not rekey or create a new CSR unless you intend to start a new order.