Skip to main content

Certificate Services Support

User-added image

Code Signing Private Key Protection Requirements for Cloud HSM Providers.
 

Effective 1 June 2023, the code signing certificate key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+. This means the key pair will be generated in a device where the private key cannot be exported. 
If you are using a Cloud Key Storage solution such as Azure Key Vault or AWS CloudHSM as your provider, you will be impacted by the new compliance requirements. Following the June 1st, 2023 deadline, if you have not completed Code Signing Verification, you will be blocked from issuing or renewing Code Signing certificates.
This article outlines the requirements for submitting the information about your cloud HSM setup to satisfy the verification requirements. 

Prerequisite:
•    A subscription to Microsoft Azure
•    Azure Key Vault with Managed HSM activated (instructions to activate Managed HSM).

Supported Vendors:
•    Microsoft Azure Key Vault
•    Amazon AWS CloudHSM (Instructions coming soon)


Configure Policies in Azure Key Vault
The following three Azure Policies must be assigned to demonstrate adequate protection of the private keys in your Azure environment. All three policies must be in a “Compliant” state. The instructions below will guide you to assign the following three policies. 

 

Assign policy #1 (Keys should be backed by a hardware security module (HSM))

1. Log in to your Azure environment and go to “Policy.” Click Assign policy.
User-added image
 
2. Click on the ellipsis menu for policy definition
User-added image

3. Search for “Keys should be backed by a hardware security module (HSM)” then click Add

User-added image

4. Click Review & Create, then click Create in the next step.

User-added image
 

5. The following must be true on resource compliance:

  • Resource Compliance state should be Compliant.

  • At least one resource must be compliant.

  • No exceptions are permitted.

Note: The policy check might take up to 48 hours to complete.

User-added image

Assign policy #2 (Resource logs in Key Vault should be enabled)

1. Go  to the “Policy” screen and click on “Assign policy.”
User-added image

2. Click on the ellipsis menu for policy definition
User-added image

 

3. Search for “Resource logs in Key Vault should be enabled” then click Add
User-added image

 
4. Click Review & Create, then click Create in the next step.
User-added image

 
5. The following must be true on the resource compliance screen:
  • Resource Compliance state should be Compliant.
  • At least 1 resource must be compliant.
  • No exceptions are permitted.
Note: The policy check might take up to 48 hours to complete.
User-added image

Assign policy #3 (Resource logs in Azure Key Vault Managed HSM should be enabled)

1. Login to your Azure environment and go to “Policy.” Click on “Assign policy.”
User-added image

2. Click on the ellipsis menu for policy definition
User-added image
 
3. Search for “Resource logs in Azure Key Vault Managed HSM should be enabled” then click Add
User-added image

 
4. Click Review & Create, then click Create in the next step.
User-added image
 
The following must be true on resource compliance:
  • Resource Compliance state should be Compliant.
  • No exceptions are permitted.
Note: The policy check might take up to 48 hours to complete.
User-added image

If you require assistance assigning these policies, please contact Microsoft Azure’s support team.