How to add my Trusted Signature to my Azure Key Vault?

Nick 0

Hi,

I created a trusted signature in my Azure account. I would like to use it to sign excel files. I understand that I need to export it as PFX. I believe I need Azure key vault to do so, correct?

If I get Key vault, how do I transfer / add my trusted signature to it so that I can then export it to sign my excel files?

Thank you

2 answers

Chiugo Okpala 5 Reputation points MVP

2025-01-23T10:00:18.4566667+00:00
Hi Nick,

To add your Trusted Signature to your Azure Key Vault, you can follow these steps:

Create a Certificate Signing Request (CSR): This is a message sent to a Certificate Authority (CA) to request a digital certificate.

Sign the CSR: Have your CA sign the CSR.

Merge the Signed Request: Import the signed certificate back into your Azure Key Vault.

Here's a more detailed guide:

1.Generate a CSR in Azure Key Vault:

Go to your Key Vault in the Azure portal.

Select Certificates and then Generate/Import.

Choose Generate as the method of certificate creation.

Fill in the required details like Certificate Name, Type of Certificate Authority (CA), and Subject.

Click Create to generate the CSR.

2.Sign the CSR with your CA:

Download the CSR file from Azure Key Vault

Submit the CSR to your CA for signing

3.Merge the Signed Certificate:

Once the CA returns the signed certificate, upload it back to Azure Key Vault.

Go to the Certificates section in your Key Vault.

Select the certificate and click on Merge Signed Request to complete the process.

See azure documentation https://learn.microsoft.com/en-us/azure/key-vault/certificates/create-certificate-signing-request?tabs=azure-portal
Please sign in to rate this answer.
Nick 0 Reputation points

2025-01-23T12:14:05.36+00:00

Thank you. But I thought the whole point of getting a trusted signing certificate from Azure directly, was that I didn’t need to pay an external certificate authority to get a signing certificate? I don’t want to pay $400+ for a signing certificate and I thought the $15/month at azure could replace that?

Chiugo Okpala 5 Reputation points MVP

2025-01-23T16:46:22.4+00:00

You're absolutely right. Azure's Trusted Signing service is designed to eliminate the need for external certificate authorities. It offers a fully managed end-to-end signing solution that integrates seamlessly into developer toolsets. Here's a breakdown of the pricing for Azure's Trusted Signing service: ·

Basic Tier: $9.99/month, includes up to 5,000 signatures per month. ·

Premium Tier: $99.99/month, includes up to 100,000 signatures per month.

Both tiers cover the costs of identity validation, certificate lifecycle management and signing, making it a cost-effective solution compared to traditional certificate authorities.

https://azure.microsoft.com/en-us/pricing/details/trusted-signing/

https://azure.microsoft.com/en-us/products/trusted-signing

https://techcommunity.microsoft.com/blog/microsoftsecurityandcompliance/trusted-signing-is-now-open-for-individual-developers-to-sign-up-in-public-previ/4273554
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Meha-MSFT 495 Reputation points Microsoft Employee

2025-01-23T17:04:13.92+00:00

Trusted Signing supports file types supported by Signtool + NuGet, VSIX, and ClickOnce into these CI/CD pipelines.

How to setup signing with Trusted Signing: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations

Filetypes supported by Signtool:https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools

https://techcommunity.microsoft.com/blog/microsoftsecurityandcompliance/simplifying-signing-integration-for-trusted-signing/4293292
Please sign in to rate this answer.
Nick 0 Reputation points

2025-01-23T19:02:32.1333333+00:00

So how do I use this trusted signature in the key vault?

Meha-MSFT 495 Reputation points Microsoft Employee

2025-01-23T20:44:48.1666667+00:00

You don't need to/cannot. Trusted Signing manages the key storage/rotation.

This link will help you guide how you sign with the certs you created in the service.

https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations

Also, can you help explain what do you mean by "created a trusted signature in Azure account".

Nick 0 Reputation points

2025-01-24T01:44:03.58+00:00

I created a Trusted Signing Account (whose identity has been verified) and have created a trusted signature. However, I simply don't understand how I'm supposed to use it to sign my Microsoft excel spreadsheets. Other have suggested that I should try to export it as PFX, however I don't see this option in Azure's Trusted Signing platform. I was hoping to be able to do something like that using Key vault (which seems to have an export option as PFX).

To summarize, I'm simply trying to use Azure's code signing feature to sign my excel spreadsheets (instead of using a third party Certificate authority (which is very costly).

Meha-MSFT 495 Reputation points Microsoft Employee

2025-01-24T17:42:13.3866667+00:00

Got it, so Excel is not a filetype that is supported and there's no mechanism to download the Trusted Signing cert from Portal. These are the details supported file types:

Filetypes supported by Signtool:https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools

https://techcommunity.microsoft.com/blog/microsoftsecurityandcompliance/simplifying-signing-integration-for-trusted-signing/4293292
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to add my Trusted Signature to my Azure Key Vault?

2 answers

Your answer