Custom Digital Signatures with Azure Based Certificates – Setting up the Azure Environment

Summary: In this article, we’ll explore how to digitally sign a PDF using a cloud-based key stored in Azure Key Vault, leveraging a digital signature SDK.

PDFs are everywhere, used for documentation, invoices, contracts and many, many other things. When working with contracts though, how can you tell whether a “signed” document was actually signed by the correct person, and that no changes have been made to the file since?

That is where Digital Signatures come in - providing a secure, verifiable, and tamper-proof way to ensure the authenticity and integrity of documents.

This is the fourth article in a series about using Digital Signatures with the Apryse SDK. Previously, we have seen how to create a digital certificate for testing, use that locally to digitally sign a file, then see the resulting signed PDF within Xodo PDF Studio and show when something has changed in the file.

In this and the next article we will look at how to digitally sign a PDF using a cloud-based key – in particular one that is stored in an Azure Key Vault.

Setting up the Azure Key Vault is a little complex, so we will go through that step by step. The important things to note though are:

In this article, we will look at how to set up the Azure Environment to contain the elements that are needed to generate the digital signature. The actual process of using code to implement that functionality and apply the digital signature to the code will be covered in the next article.

Get yourself an Azure account and log into the Azure Portal.

The Azure UI may change over time. This article was written in January 2025, and the screen shots were taken at that time.

Azure supports dozens of tools and other resources – which makes it hugely powerful, but also hard to find things when you get started. Thankfully it has a handy Search bar, which will quickly let you find the things that are used in this article.

Before we can store a certificate within Azure, we need to create a Resource Group where it will be hosted, so let’s do that.

Enter “Resource Groups” into the Search box which will show you the list of those, if any, that already exist. Click Create to start the process of defining a new Resource Group.

Next give the Resource Group a name – for this article I am using “PDF-signing-test”.

There is also the option to add tags to the Resource Group to help you to organize your resources, but for now we can skip doing that. Azure will then validate the data you entered, then click Create.

After a few moments, the Resource Group will appear in your account.

When we get to writing code (which we will do in the next article), we will need to have something running within Azure that is able to use a Digital Certificate to actually sign data that is passed to it. This “something’ is a Cryptography Client, which we need to create and register in order for it to be accessible from our code.

Select App Registrations (you can search for it in the Search bar of Azure if you need to), then click New registration.

Next choose a name for the Cryptography Client – for now we will use “DigitallySignPDF”, but you can call it whatever you want. That name won’t be used from our code and is used only for display purposes within the Azure Portal.

When you are ready, click Register. After a few moments, you will see some details for the application, including the “Client ID” and the “Tenant ID”. We will need those in the next article, so record them somewhere.

Since we want to have control over who can use the app that we have just registered (after all, we are using it to Digitally sign documents on our behalf), we need a way to identify that the application that we will create is allowed to use it – that is done with a secret. You can create one by clicking Add a certificate of secret.

When you are creating the secret, you can also specify a description and validity period. The length of the validity period is up to you – but 6 months is recommended.

Once the secret has been created, you should copy it and keep it secret (the clue is in the name), since it is, in effect, a password. Anyone with that secret can pretend to be you, so protect it accordingly.

Having a service that can be used to digitally sign data is not much use if there is no digital certificate available. Before we can import the certificate, we need somewhere that it can be stored – and within Azure, that is a “Key Vault”.

Azure Key Vault is a cloud service that securely stores and manages secrets, such as passwords, certificates, and API keys – exactly what we need.

In order to create a Key Vault, search for “Key Vault” in the Azure search box. This will start the wizard needed to create one. Enter the Resource Group where you want the Key Vault located (we will use “PDF-Signing-test” that we created earlier) and choose a name for the new vault (we’ll call it “PDF-signing-key-vault”).

For now, we will just use the Standard Pricing tier. If you want to use an HSM backed key, then you will need to select the Premium tier. We won’t cover that in this article though.

Click Next and this will take you to a pane where you can specify Access Configuration.

Microsoft recommends role-based access control, but for this article we will use the Vault access Policy, which is a little simpler to get started with.

As we have already created the Cryptography Client app that will be using the Key Vault, we will specify the Access Policy now by clicking Create.

If you skipped that part, then you can update the access policy at a later time once you have created the Cryptography Client.

You need to specify what the service is allowed to access, and that should be based on the minimum number of things that are needed in order for the service to perform its work. While you could enable access to all Cryptographic Operations and Certificates, that is providing more access than is needed for this article; in fact, we will only need the service to be able to Sign data and Get certificates.

Now click Next and it will ask you to specify the Principal. This will be the Cryptography Client app that we just registered which we called “DigitallySignPDF”.

Enter “Digi” into the search box and that service will appear in the results.

Select “DigitallySignPDF” and click Next.

After a couple of clicks, you will ultimately be ready to “Review + create” the Access Policy.

If everything is as you expect, then click Create and in a few moments, you should be able to see the Access Policy in the Key Vault wizard.

We haven’t actually finished creating the Key Vault yet, so you will also need to click Review + create, check that everything is correct, then click Create. After a short time, the deployment will complete.

Once deployment is complete, click Go to resource, and you can see the properties of the Key Vault. Record the value for Vault URI – as that is how we will access this vault's contents in the next part of the process.

We’re almost there, but we still need to import the Digital Certificate that we will use to sign our PDF.

We can either generate one within the Key Vault or import an existing one.

Click Certificates then Generate/Import.

For this article I’m going to use the certificate that we created in Part One of this series. You will need to give it a name and record the name that you use. For this article I will call it “BlogCert”.

Once you click Create, the certificate will be added to the Key Vault.

If you click on the data for the certificate, then you will be shown the available versions of the certificate, and various details for the certificate. You will need to record the Key Identifier.

That’s everything done in Azure.

In the next article we will use these Azure-based resources. In order to do that, we will need to collect together some data that uniquely identifies them.

There are six pieces of information that you need to record.

Great, that’s everything that we need to do in Azure. In the next article we will use these resources to create a Digitally Signed PDF using the Apryse SDK.

There are a few steps to getting Azure set up to allow creation of Digital Signatures using a Digital Certificate hosted on Azure. Don’t be put off though - many organizations will have IT staff that will find this a cinch, and if not, then the steps covered in this article will help you get to the point where everything is in place, ready to sign your PDF.