The following shows how to create the Azure Key Vault.
- Search for Key Vault in the Azure portal and then select Key vaults in the results.
![](/signserver-cloud/files/105343/105346/1/1700063774230/Search.png)
- Click Add.
- In the Create key vault section, enter the name for the Key Vault. In this example, create a SignServer Crypto Token vault for SignServer and use the name SignServerKeyVault. Note the name down since it will be required in SignServer when creating a Crypto Token.
- Specify the same Resource Group that the SignServer Instance uses.
![](/signserver-cloud/files/105343/105345/1/1700063774124/image2020-4-27_12-15-35.png)
- Under Pricing tier, there are two options, Standard and Premium. It is recommended to choose Premium and then click Select.
![](/signserver-cloud/files/105343/105354/1/1700063775215/image2020-4-27_11-56-37.png)
- Click Next to create an Access Policy from the Create Key Vault dialog, and then click Add Access Policy.
![](/signserver-cloud/files/105343/105353/1/1700063775088/image2020-4-27_11-58-1.png)
- Select Key Management from the Configure from template list.
- Select Key Permissions.
- Select all of the permissions under Cryptographic Operations.
![](/signserver-cloud/files/105343/105344/1/1700063773999/image2020-4-27_12-16-34.png)
- Click Select Principal.
![](/signserver-cloud/files/105343/105351/1/1700063774857/image2020-4-27_12-2-24.png)
- Search for the App Registration added in the previous section Creating an App Registration in Active Directory. In this example, select the name "signserver-vault" and click Select.
![](/signserver-cloud/files/105343/105352/1/1700063774989/image2020-4-27_11-59-35.png)
- Click Add on the Add access policy screen.
- Click OK on the Access policies screen.
- Click Next to configure Networking the Virtual Network Access section.
- Select Public endpoint.
![](/signserver-cloud/files/105343/105350/1/1700063774736/image2020-4-27_12-7-49.png)
- Click Add existing virtual networks.
- From the Add networks list, select the virtual network in the resource group that SignServer Cloud was deployed into. In this example, SignServer_With_KeyVault.
![](/signserver-cloud/files/105343/105349/1/1700063774600/image2020-4-27_12-10-10.png)
- Click Select All under Subnets. Click Enable and wait for Azure to enable the service endpoint.
![](/signserver-cloud/files/105343/105348/1/1700063774493/image2020-4-27_12-10-38.png)
- Once completed, click Add.
- Click Next to assign any Tags if desired.
- Click Next to Review the configuration.
![](/signserver-cloud/files/105343/105347/1/1700063774367/image2020-4-27_12-13-40.png)
- Click Create and wait for the deployment to complete.
- Once the deployment completes, proceed to the next section to view Keys in Key Vault.