SSL.com

Generate a Certificate Signing Request in Azure Key Vault

Prerequisites

An Azure Key Vault (Premium Tier). The Azure Key Vault service tier that should be used for this process is Premium because it is FIPS 140-2 Level 3 validated. 

For instructions on how to create an Azure Key Vault, please refer to the next section: Create an Azure Key Vault.

If you already have an existing Azure Key Vault, please proceed to the other section: Generate a Certificate Signing Request in Azure Key Vault.

Create an Azure Key Vault

  1. Sign into the Azure portal.
  2. Click Create a resource.

  3. Scroll to Key Vault and click the Create link.
  4. Under the Basics section, perform the following.
    1. Select the subscription and resource group. If needed, you can create a new resource group by clicking Create new.
    2. Assign a name and region. Provide a name for your Key Vault and choose a region.
    3. Opt for the Premium pricing tier. To comply with the FIPS 140-2 standard, select the “Premium” pricing tier.
    4. Configure recovery options. Set the recovery options for your Key Vault, including purge protection and the retention period for deleted vaults.
    5. Click the Next button to proceed to the Access Configuration Settings section.
  5. Click Access configuration. Set the access policies for your Key Vault.

  6. Click Networking. Choose a connectivity method for your Key Vault.

  7. Click Tags. If desired, create tags for your Key Vault.

  8. Continue to Review + create. Review your settings, then click the Create button to create your new Key Vault.

  9. Azure will then create your new Key Vault. Once it is ready, you can access it by clicking the Go to resource button.

Generate a Certificate Signing Request in Azure Key Vault

  1. Select your key vault and click Certificates.
  2. Click the Generate/Import button to open the Create a certificate window.

  3. Accomplish the following fields:
    1. Method of Certificate Creation: Select “Generate.”
    2. Certificate Name: Enter a unique name for your certificate.
    3. Type of Certificate Authority (CA): Choose “Certificate issued by a non-integrated CA.”
    4. Subject: Provide the X.509 Distinguished Name for your certificate.
    5. Validity Period: You can leave this set to the default of 12 months. For code signing certificates with longer validity periods, the issued certificate will match your order, not the CSR.
    6. Content Type: Select “PEM.”
    7. Lifetime Action Type: Configure Azure to send email alerts based on a certain percentage of the certificate’s lifetime or a specific number of days before expiration.
  4. Advanced Policy Configuration. Click Advanced Policy Configuration to set the key size, type, and policies for key reuse and exportability.
    1. For certificates issued by SSL.com, you can leave Extended Key Usages (EKUs), X.509 Key Usage Flags, and Enable Certificate Transparency at their default values.
    2. Reuse Key on Renewal? Select No.
    3. Exportable Private Key? Select No.
    4. Key Type. Select RSA+HSM
    5. Key Size. For a code signing certificate, you can only choose between 3072 or 4096.
  5.  When you are finished setting the Advanced Policy Configuration, click the OK button, followed by Create.
  6. On the Certificates section, locate your certificate in the list of in progress, failed or canceled certificates and click it.

  7. Click Certificate Operation.

  8. Click Download CSR and save the file in a secure location.

Submit the Certificate Signing Request (CSR) to SSL.com 

The downloaded CSR file will be submitted to the SSL.com agent assigned to the subscriber. After this, the process will proceed to verification of the CSR. The SSL.com agent assigned to the subscriber will provide updates up until the signing certificate is ready for issuance.

Exit mobile version