Azure Trusted Signing: A Guide to Certificate Management

Azure Trusted Signing is a service that helps you manage digital certificates and identities in Azure. It provides a secure way to authenticate and authorize users, devices, and applications.

To use Azure Trusted Signing, you need to create a certificate in the Azure portal. This certificate is used to sign and verify the identity of users, devices, and applications.

Azure Trusted Signing supports multiple types of certificates, including X.509 certificates and JSON Web Tokens (JWT). These certificates can be used for various purposes, such as authentication, authorization, and encryption.

You can use Azure Trusted Signing to automate certificate management tasks, such as renewal and revocation. This helps ensure that your certificates remain valid and secure.

You might like: How to Use Microsoft Azure

To set up Azure Trusted Signing, you'll need to create a support ticket in the Azure portal. You can also post a question or search for related questions on Microsoft Q&A or Stack Overflow, using the tags Azure Trusted Signing or trusted-signing.

For another approach, see: Azure Code Signing

First, you'll need to create an App Registration user. This is a crucial step, so make sure to follow the instructions carefully. In Step 4, you'll create an App Registration user, which will be used for Trusted Signing.

Next, you'll need to add the signer role to your App Registration user. This is done by searching for the App Registration user you created by name, in my case, "trusted-signing". I typed in "trusted" to bring up the user.

To double-check that you've done it right, go to IAM > Role Assignments and verify that the two roles are there.

Certificate management is a crucial aspect of Azure Trusted Signing. Certificates are created and rotated daily, but you need to create a "profile" to access and sign with them.

To create a certificate profile, you'll need to pick a name, which you'll use later when signing. You'll also need to select your verified identity from the last step under Verified CN and O.

Certificate profiles are the logical containers of the certificates issued to you for signing. If your identity validation expires, certificate renewal stops, and all signing processes associated with those specific certificate profiles stop. To continue signing, create another identity validation and associate it with the relevant certificate profiles.

Discover more: What Is Managed Identity in Azure

Creating a certificate profile is a crucial step in the certificate management process. You'll need to create a Public Trust profile to access and sign with the actual certs on Azure Trusted Signing, which are created and rotated daily.

To create a certificate profile, you'll need to pick a name that meets the naming constraints. These include containing from 5 to 100 alphanumeric characters, beginning with a letter, ending with a letter or number, and not containing consecutive hyphens.

A certificate profile name is not case-sensitive, so ABC is the same as abc. It's also unique within the account and in the same Azure region as the account, by default.

To create a certificate profile in the Azure portal, follow these steps:

1. Go to your new Trusted Signing account.

2. Select Certificate profiles.

3. On the command bar, select Create and select a certificate profile type.

4. Provide the following information:

5. Select Create.

Alternatively, you can create a certificate profile using the Azure CLI with the following command:

az trustedsigning certificate-profile create -g MyResourceGroup --account-name MyAccount -n MyProfile --profile-type PublicTrust --identity-validation-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

You can also include optional fields such as street address or postal code in the subject name of the certificate by using the following command:

az trustedsigning certificate-profile create -g MyResourceGroup --account-name MyAccount -n MyProfile --profile-type PublicTrust --identity-validation-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --include-street true

To find your identity validation ID in the Azure portal, follow these steps:

1. Go to your Trusted Signing account.

2. Select Identity validations.

3. Select the hyperlink for the relevant entity.

4. Copy the value for Identity validation Id.

You can also use the following command to list all certificate profiles associated with a Trusted Signing account:

az trustedsigning certificate-profile list -g MyResourceGroup --account-name MyAccount

To get the details for a certificate profile, use the following command:

az trustedsigning certificate-profile show -g MyResourceGroup --account-name MyAccount -n MyProfile

Broaden your view: Azure Workload Identity

To delete a certificate profile, you need to select the one you want to delete.

You can do this in the Azure portal by going to your Trusted Signing account and selecting Certificate profiles. From there, you can pick the certificate profile you want to delete.

The process is straightforward: select the certificate profile, then click Delete on the command bar. This will stop any signing associated with the certificate profile.

Note that deleting a certificate profile doesn't affect the overall Trusted Signing account. To delete a Trusted Signing account, you need to follow a different process.

Here are the steps to delete a certificate profile in the Azure portal:

Alternatively, you can use the Azure CLI to delete a certificate profile by running a specific command.

Organization validation failure can be frustrating, but it's essential to understand the reasons behind it. If your organization has a year-founded date of less than three years, identity validation will fail, and you won't be able to onboard.

If your organization has a year-founded date of more than three years, double-check that you didn't miss an email verification link that was sent to your primary email address. The link expires after seven days, so act fast if you need to verify your identity.

If identity validation fails due to missing documentation, the Microsoft validation team won't be able to make a determination about your request. Even if you provide more documentation, if they can't validate the information, you won't be onboarded to Trusted Signing.

To avoid unnecessary billing, delete your Trusted Signing account if identity validation fails due to missing documentation.

Here are some key points to remember:

In CI, you can use a trusted signing action for GitHub Actions.

Azure publishes a trusted signing action for GitHub Actions which basically scripts inputs to the Powershell integration.

You'll need 6 pieces of information that we'll add as GitHub secrets, including AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET.

AZURE_ENDPOINT is the URL for the region you selected, and you can find this labelled Account URI on the main Trusted Signing Account page in Azure.

For me, in the EU, it's https://weu.codesigning.azure.net/, but you'll need to check your region's specific URL.

You'll also need to store the name of your trusted signing account as a secret called AZURE_CODE_SIGNING_NAME.

Lastly, you'll need the AZURE_CERT_PROFILE_NAME from step 7.

This signs all exe files in the named directory, and I've opened an issue so we can just specify a single filename.

Success looks like this.

You'll need to create a Trusted Signing account, which is a logical container that holds identity validation and certificate profile resources. This account is a crucial step in the Azure Trusted Signing process.

To set up a Trusted Signing account, you'll need to add the "identity verifier" role to your Azure account. This involves going through a role wizard twice, once for your Azure user and once for the "App Registration" user.

You'll also need to set up the Trusted Signing Identity Verifier, which allows your Azure account to go through identity validation. This might seem redundant, but it's a necessary step for indie devs like us.

To create a Trusted Signing Account, you'll need to specify the region's endpoint when signing, which can be found on the main trusted signing account page after creation.

You'll see a URL on this page that you'll need later.

A Trusted Signing account is a logical container that holds identity validation and certificate profile resources.

You'll use this account to manage your identity and certificates.

To access the Trusted Signing account, you'll need to click on Access Control (IAM) and then Add role assignment.

This is where you'll assign the necessary roles to your Azure account.

You'll search for "trusted" to bring up the role, and then select the Trusted Signing Identity Verifier role.

This role is necessary to give your Azure account permission to go through identity validation.

You'll add this role to your main Azure user, and then select New Identity > Public.

This will complete the setup of the Trusted Signing Identity Verifier.

Suggestion: Azure Temporary Access Pass

To delete a Trusted Signing account, sign in to the Azure portal. This is the first step in the process, and it's essential to have your login credentials ready.

In the search box, enter "Trusted Signing Accounts" and select the option that appears. This will take you to the Trusted Signing Accounts page, where you can manage your accounts.

On the Trusted Signing Accounts page, select the account you want to delete. Make sure you're deleting the correct account to avoid any mistakes.

To delete the account, select the "Delete" option from the command bar. This action will remove all certificate profiles linked to the account, effectively stopping any signing processes associated with those profiles.

If you prefer to use the Azure CLI, you can delete a Trusted Signing account by running the following command: [insert command here]. This is a more technical approach, but it can be useful for those who are familiar with the Azure CLI.

Here are the steps to delete a Trusted Signing account:

Account naming constraints are crucial to ensure your Trusted Signing accounts and certificate profiles are set up correctly. A Trusted Signing account name must contain from 3 to 24 alphanumeric characters.

A Trusted Signing account name is not case-sensitive, so ABC is the same as abc. However, it's rejected by Azure Resource Manager if it begins with "one".

To create a unique account name, you need to follow specific constraints. Here are the key requirements:

It's essential to keep in mind that these constraints apply to both Trusted Signing accounts and certificate profiles. A certificate profile name must also begin with a letter, end with a letter or number, and not contain consecutive hyphens.

Here's a summary of the naming constraints for Trusted Signing accounts and certificate profiles:

Remember, these constraints are in place to ensure the smooth operation of your Trusted Signing accounts and certificate profiles.

To create an App Registration in Azure, you'll need to create API credentials that will be used outside of Azure. Give your App Registration a name, like I did with "trusted-signing", and keep the defaults.

You might enjoy: Azure App Insights vs Azure Monitor

Note the client ID and tenant ID for later signing, as you'll need to set them as environment variables AZURE_CLIENT_ID and AZURE_TENANT_ID. Then, add a secret, setting the expiry date to 24 months, and note the secret value, which you'll set as AZURE_CLIENT_SECRET.

This App Registration is what will allow you to sign your installers, and it's essential to get it set up correctly.

To register a resource provider, you'll need to sign in to the Azure portal or the Azure CLI. You can use either the Azure portal or the Azure CLI to register the Microsoft.CodeSigning Trusted Signing resource provider.

To register a Trusted Signing resource provider by using the Azure portal, you'll need to follow these steps: sign in to the Azure portal, select Subscriptions, and then select the subscription where you want to create Trusted Signing resources. You'll then need to select Resource providers, and in the list of resource providers, select Microsoft.CodeSigning.

See what others are reading: Windows Azure Overview

The status of the resource provider will be NotRegistered by default, but you can change it to Registered by selecting the ellipsis and then selecting Register. This will update the status of the resource provider.

Alternatively, you can use the Azure CLI to register a Trusted Signing resource provider. You'll need to sign in to the Azure CLI, install the Azure CLI extension, and then use the az provider register command to register the Microsoft.CodeSigning resource provider.

The command to register a Trusted Signing resource provider using the Azure CLI is az provider register --namespace "Microsoft.CodeSigning". You can also verify the registration using the az provider show command.

Here are the steps to register a Trusted Signing resource provider using the Azure CLI:

1. Sign in to the Azure CLI

2. Install the Azure CLI extension

3. Use the az provider register command to register the Microsoft.CodeSigning resource provider

4. Verify the registration using the az provider show command

For more insights, see: Azure Cli vs Azure Powershell

In App Registration, creating user credentials is a crucial step. This step creates API credentials for an arbitrary “App Application” to use outside of Azure.

Give your credentials a name, and keep the defaults. I called it "trusted-signing" in my example, but that's arbitrary.

Note the client ID and tenant ID for later signing. You'll set these as environment variables AZURE_CLIENT_ID and AZURE_TENANT_ID locally.

Add a secret, setting the expiry date to 24 months. Note the secret value of the created secret; you'll set this as AZURE_CLIENT_SECRET.

This process helps Azure know it's you when you go to sign your installers.

On a similar theme: Azure Credentials

To add the signer role to your App Registration, you'll need to start the wizard again and search for the App Registration user you created in Step 4. This user was given a name, and in my case, it was "trusted-signing".

Note the name of your App Registration user, as you'll need it to find it in the search results. I typed in "trusted" to bring up the user, so make sure to type in the exact name you gave it.

Double-check that you're assigning the role to the App Registration user, not your main Azure user. You can do this by going to IAM > Role Assignments and verifying that the two roles are there.

The role you need to add is the Trusted Signing Certificate Profile Signer role. This role lets you actually do the signing from the API.

Troubleshooting Azure Trusted Signing issues can be a challenge, but don't worry, I've got you covered. If you get an internal error, check that the CN name you used matches the certificate name.

Verify the package name, and copy the complete value for the subject from the Azure portal to the manifest file during signing. This simple step can save you a lot of headache.

To resolve issues with Private Trust signing, follow these steps:

By following these steps, you should be able to resolve common issues with Azure Trusted Signing.