On June 1st, 2023, the CA/Browser Forum’s Baseline Requirements for Code Signing changed. Certificate Authorities could no longer issue software-based OV code signing certificates in exportable formats such as .pfx. Instead, all new certificates must have their private keys stored in secure hardware (e.g., USB token, HSM, or cloud HSM), meaning you can no longer just protect a .pfx with a password and use it for signing.
This caused quite some turmoil for partners and I remember getting questions from a lot of partners who where struggling with getting certificates. I normally just referenced a number of articles and blog posts, thinking… How hard can it be?
Now, after I started my own company and need to prepare for creating AppSource apps and other apps, where I need to use code signing – I needed to try this myself. First I started googling, but found it hard to find what I needed, so I turned to ChatGPT:
I need to purchase a code signing certificate for my new company, which can be delivered in an HSM Azure KeyVaultWithin seconds I got:
Got it 👍 You’re looking for a code signing certificate that can be stored in an Azure Key Vault HSM (Hardware Security Module) so you can use it for signing without ever exporting the private key.
… including details about which CAs supports Azure KeyVaults etc. – very nice. Reading through the answer, I decided to go for digicert and wanted to see if ChatGPT could take me all the way:
I need a standard code signing cert via digicert - how do I get started?'Shortly thereafter:
Great — here’s a practical roadmap for getting a standard (organization-validated) DigiCert code signing certificate and using it with Azure Key Vault’s HSM. I’ll also flag tricky parts so you can avoid common pitfalls.
… including a step-by-step guide on how to create a CSR in Azure etc etc. and whenever I had a problem, I would take a snip of part of the screen and ask ChatGPT:
What should these fields be?ChatGPT says:
Perfect — you’re on the Azure Key Vault → Create a certificate screen. This is exactly where you’ll create the pending certificate request (CSR) to later submit to DigiCert. Let me walk you through each field and what to put when ordering a standard DigiCert code signing certificate
Instead of being frustrated and not able to figure out what to do – it encourages me and holds my hand – NICE. But now this:
Surely I need to call some expert for this? But no – just pasted the image into ChatGPT and it gave me a detailed explanation and a correct configuration summary:
EKU: 1.3.6.1.5.5.7.3.3 (Code Signing)
Key Usage: Digital Signature (+ optionally Non-Repudiation)
Exportable Private Key: No
Key Type: RSA
Key Size: 3072
Certificate Transparency: No
ChatGPT even asks me if I want help ordering my certificate with digicert and now, I decide to go all the way and everytime I am in doubt, I just paste in the image and I get help:
and I get:
Perfect — you’re at the product selection screen for DigiCert code signing certificates. Let me break these four options down in the context of using Azure Key Vault HSM:
🔑 What each option means
- Code Signing – HSM (€44/mo, €528/yr)
- ✅ This is the one you want.
- It assumes you will generate the key in your own HSM (in your case, Azure Key Vault HSM).
- You’ll provide DigiCert with the CSR generated inside Azure.
- After validation, DigiCert issues a cert you merge back into Key Vault.
- Code Signing – Own Token (€44/mo)
- For when you already have a USB token (like SafeNet) and want the certificate loaded there.
- ❌ Not for Azure Key Vault.
- Code Signing – USB Token (€55/mo)
- DigiCert will ship you a hardware token with the cert pre-installed.
- ❌ Not needed if you’re using Azure HSM.
- Code Signing + KeyLocker (€64/mo)
- DigiCert’s own cloud-based HSM service.
- You’d sign through their API instead of Azure.
- ❌ Skip this since you want Azure Key Vault.
Amazed and within 1 hour I have ordered a code signing certificate, which I will receive once my company and I have been validated.
Verdict
This process could easily have taken me many hours and much frustration and with some very very simple prompts, ChatGPT could guide me through the entire process.
What’s not to like!!!
I did not try the other AIs, but I kind of assume that if they can understand and read images, they should be able to do the same. I obviously don’t need more than one code signing certificate, but I will try a few other things with images and AIs another day – stay tuned…
This post was written on October 1st, 2025 – AI’s might/will change…
Until next time
A Daily Prompt | Freddy Kristiansen
A Daily Prompt 
You can also buy Azure KeyVault Code Signing from SignMyCode for just $31/Month.
LikeLike