AzureKeyVaultCryptoToken

Overview

The Azure Key Vault Crypto Token implements storing keys in an Azure Key Vault, leveraging the advantages of cloud-stored keys.

For more information on the Microsoft Azure cloud Key Vault for HSM storage of cryptographic keys, refer to the Microsoft Azure Key Vault documentation.

CRYPTOTOKEN_IMPLEMENTATION=org.signserver.server.cryptotokens.AzureKeyVaultCryptoToken

Available Properties

Required Property	Description
KEY_VAULT_CLIENTID	Specifies the Client ID. This is the “AD user” that is authorized to connect to and use the key vault.
KEY_VAULT_NAME	Specifies the name of the key vault. If the name contains at least one dot, it is assumed to be the full host name of the vault (allowing for alternative endpoints), otherwise it is assumed to be the first part of a host name in the default namespace (`<KEY_VAULT_NAME>.vault.azure.net`).
KEY_VAULT_TYPE	Specifies the type of key vault. Valid values: `standard` or `premium`
PIN	Specifies the authentication code for activation. Only required for auto-activation and is not required when the token is manually activated.
Property	Description
DEFAULTKEY	Specifies the key alias of the private key to be used for testing that this crypto token is working. Since SignServer 7.4.0, the `DEFAULTKEY` property is no longer a required property for this worker. If no default key is set, the connection between this worker and the Azure Key Vault instance will be performed to determine if the Worker is ACTIVE or OFFLINE. If a default key is set, a test signing will be performed to determine if the Worker is ACTIVE or OFFLINE. A property with this name is typically accepted by the worker using this crypto token and will then be the key to use for actual signing.
NEXTCERTSIGNKEY	A property with this name is typically configured in the worker using this crypto token to hold the name of the next key to use. Certificate signing requests (CSR) can be made for this key while the current key (`DEFAULTKEY`) is still in production. After uploading the new certificate, the value of `NEXTCERTSIGNKEY` can be moved to `DEFAULTKEY`.

Known Limitations

The following lists limitations of the current implementation:

Import of certificate in token is not supported for this crypto token.
The Azure Key Vault Crypto Token does not provide any certificates and cannot be used with signers that require a certificate from the token such as OpenPGP-based signers. For details on PGP signing support, refer to DSS-2127.
If the Key Vault has soft-delete enabled, the keys will not be completely deleted by SignServer, and new keys cannot be created with the same name as keys that have been soft-deleted. For more information on the Key Vault's soft-delete feature, allowing recovery of the deleted vaults and vault objects, refer to the Microsoft Azure Key Vault soft-delete overview.