The Azure Key Vault Crypto Token implements storing keys in an Azure Key Vault, leveraging the advantages of cloud-stored keys.

For more information on the Microsoft Azure cloud Key Vault for HSM storage of cryptographic keys, refer to the Microsoft Azure Key Vault documentation.


Available Properties


The key alias of the private key to be used for testing that this crypto token is working.

(warning) If this key does not exist, the crypto token/worker will show as OFFLINE even if it has been activated. This is typically the case when the crypto token has been set up for the first time and the key has not yet been generated. To resolve, generate a key with the key alias name.

A property with this name is typically also accepted by the worker using this crypto token and will then be the key to use for actual signing.


A property with this name is typically configured in the worker using this crypto token to hold the name of the next key to use.  Certificate signing requests (CSR) can be made for this key while the current key (DEFAULTKEY) is still in production. After uploading the new certificate the value of NEXTCERTSIGNKEY can be moved to DEFAULTKEY.

PINAuthentication code for activation. Only required for auto-activation and is not required when the token is manually activated.

The name of the key vault. If the name contains at least one dot, it's assumed to be the full host name of the vault (allowing for alternative endpoints), otherwise it's assumed to be the first part of a host name in the default namespace (<KEY_VAULT_NAME>.vault.azure.net).

KEY_VAULT_CLIENTIDClient ID, this is the “AD user” that is authorized to connect to and use the key vault.(tick)
KEY_VAULT_TYPEThe type of key vault. Valid values: “standard” or ”premium”.(tick)

Know Limitations

The following lists limitations of the current implementation.

  • Import of certificate in token is not supported for this crypto token.
  • The Azure Key Vault Crypto Token does not provide any certificates and cannot be used with signers that require a certificate from the token such as OpenPGP-based signers. For details on PGP signing support, refer to DSS-2127.
  • If the Key Vault has soft-delete enabled, the keys will not be completely deleted by SignServer and new keys cannot be created with the same name as keys that have been soft-deleted. For more information on the Key Vault's soft-delete feature, allowing recovery of the deleted vaults and vault objects, refer to the Microsoft Azure Key Vault soft-delete overview.