Code Signing certificate for Azure Key Vault
Sign EXE, DLL, MSIX, PowerShell and NuGet packages directly from Azure Key Vault. No USB token needed. AzureSignTool replaces signtool.exe and authenticates to your Key Vault, where your private key is stored on a FIPS 140-2 Level 3 HSM. The key never leaves the HSM.
Azure Key Vault Premium costs approximately $5/month with near-unlimited signings. That is dramatically cheaper than CA-hosted cloud signing services like DigiCert KeyLocker (~$300/year + signing limits on top of the certificate).
What is Azure Key Vault Code Signing?
Azure Key Vault is Microsoft's cloud-based key management service. In the Premium tier, keys are stored on FIPS 140-2 Level 3 certified HSM hardware. The private key is generated inside the HSM and never leaves it. All signing operations happen on the HSM itself.
AzureSignTool ↗ is a free, open-source drop-in replacement for signtool.exe that authenticates to Azure Key Vault using a service principal or managed identity. It supports Authenticode signing for all standard Windows file types.
Since June 2023, all Code Signing certificates (OV and EV) require HSM-backed key storage. Azure Key Vault
meets this requirement. Software-only .pfx files are no longer permitted by any Certificate Authority.
OV vs EV Code Signing with Azure Key Vault
| OV Code Signing | EV Code Signing | |
|---|---|---|
| Validation | Organisation | Extended (stricter) |
| SmartScreen reputation | Builds over time with downloads | Starts with higher reputation |
| Kernel-mode driver signing | No | Yes (required by Microsoft) |
| Azure Key Vault | Premium tier (RSA-HSM keys) | Premium tier (RSA-HSM keys) |
| Issuance time | 1–3 business days | 1–5 business days |
| Maximum validity | 459 days | 459 days |
Azure Trusted Signing vs your own certificate
Microsoft offers Azure Trusted Signing at ~$10/month as an alternative. It handles the certificate for you. Here is why using your own certificate in Azure Key Vault is usually the better choice:
Your own certificate (Azure Key Vault)
- ✓ Portable: not locked to Azure
- ✓ Works with any signing tool (AzureSignTool, Jsign, signtool)
- ✓ You own the certificate and the identity
- ✓ Required for some enterprise and government workflows
- ✓ Choose your CA (DigiCert or GlobalSign)
- ✓ No monthly subscription for the certificate itself
Azure Trusted Signing
- ✓ Managed by Microsoft, simpler setup
- ✓ ~$10/month subscription
- — Locked to Azure ecosystem
- — Microsoft controls the certificate identity
- — Not accepted in all enterprise environments
Compatible Certificate Authorities
Only DigiCert and GlobalSign Code Signing certificates work with Azure Key Vault. Sectigo/Comodo certificates are not compatible because Azure Key Vault does not support their key attestation format.
FairSSL sells both DigiCert and GlobalSign Code Signing certificates and provides installation guides for both CAs with Azure Key Vault. We recommend the CA that best fits your requirements and budget.
File types you can sign with Azure Key Vault
For Office macro signing (.xlsm, .docm, .pptm), see our Office macro signing guide (requires 32-bit signing tools).
Quick setup overview
Buy a Code Signing certificate from FairSSL
Choose DigiCert or GlobalSign, OV or EV. Select "Azure Key Vault" as delivery method.
Create Azure Key Vault (Premium tier)
Create an RSA-HSM 4096-bit key, non-exportable. Premium SKU is required for HSM-backed keys.
Generate CSR from Key Vault
Create a certificate request with Subject CN=Your Company Name, EKU 1.3.6.1.5.5.7.3.3 (Code Signing), Content Type: PEM.
Submit CSR and complete validation
FairSSL handles the organisation validation (often completed same day for Danish and Swedish companies).
Import signed certificate into Key Vault
Merge the CA's response into the pending certificate request in Azure Key Vault.
Install AzureSignTool and sign
dotnet tool install --global AzureSignTool
FairSSL provides complete step-by-step installation guides with screenshots for both DigiCert and GlobalSign after purchase.
Full Azure Key Vault setup guide with CLI commands and CI/CD examples →
Azure DevOps pipeline example
AzureSignTool integrates into Azure DevOps, GitHub Actions and GitLab CI. Here is a minimal Azure Pipelines YAML example:
- task: DotNetCoreCLI@2
displayName: 'Install AzureSignTool'
inputs:
command: 'custom'
custom: 'tool'
arguments: 'install --global AzureSignTool'
- script: |
AzureSignTool sign \
-kvu $(KeyVaultUrl) \
-kvc $(CertificateName) \
-kvt $(TenantId) \
-kvi $(ClientId) \
-kvs $(ClientSecret) \
-fd sha256 \
-tr http://timestamp.digicert.com \
-td sha256 \
"$(Build.ArtifactStagingDirectory)\**\*.exe"
displayName: 'Sign executables' Store Key Vault credentials as pipeline variables or use Azure RBAC with a managed identity for keyless authentication. Required Key Vault roles: Key Vault Crypto User, Key Vault Certificate User, Key Vault Secrets User.
Related pages: USB Token | Azure Key Vault | Google Cloud KMS | AWS KMS | Office Macros | Compare all →
Code Signing certificates for Azure Key Vault
OV Code Signing
DigiCert CodeSign OV
DigiCert OV Code Signing. Works with Azure Key Vault.
GlobalSign CodeSign
GlobalSign OV Code Signing. Works with Azure Key Vault.
EV Code Signing
Frequently asked questions about Azure Key Vault Code Signing
Find answers to the most common questions about SSL certificates and FairSSL.
Ready to sign from Azure Key Vault?
Create a free account and issue your first certificate in under 10 minutes.