|
| 1 | +--- |
| 2 | +title: Artifact Signing certificate management |
| 3 | +description: Get an introduction to Artifact Signing certificates. Learn about unique certificate attributes, the service's zero-touch certificate lifecycle management process, and effective ways to manage certificates. |
| 4 | +titleSuffix: "Azure" |
| 5 | +author: TacoTechSharma |
| 6 | +ms.author: mesharm |
| 7 | +ms.service: trusted-signing |
| 8 | +ms.topic: concept-article |
| 9 | +ms.date: 01/06/2026 |
| 10 | +ms.custom: template-concept |
| 11 | +--- |
| 12 | + |
| 13 | +# Artifact Signing certificate management |
| 14 | + |
| 15 | +This article describes Artifact Signing certificates, including their two unique attributes, the service's zero-touch lifecycle management process, the importance of time stamp countersignatures, and Microsoft active threat monitoring and revocation actions. |
| 16 | + |
| 17 | +The certificates that are used in the Artifact Signing service follow standard practices for X.509 code signing certificates. To support a healthy ecosystem, the service includes a fully managed experience for X.509 certificates and asymmetric keys for signing. The fully managed Artifact Signing experience provides all certificate lifecycle actions for all certificates in an Artifact Signing certificate profile resource. |
| 18 | + |
| 19 | +## Certificate attributes |
| 20 | + |
| 21 | +Artifact Signing uses the certificate profile resource type to create and manage X.509 v3 certificates that Artifact Signing customers use for signing. The certificates conform to the RFC 5280 standard and to relevant Microsoft PKI Services Certificate Policy (CP) and Certification Practice Statements (CPS) resources that are in the [Microsoft PKI Services repository](https://www.microsoft.com/pkiops/docs/repository.htm). |
| 22 | + |
| 23 | +In addition to standard features, certificate profiles in Artifact Signing include the following two unique features to help mitigate risks and impacts that are associated with misuse or abuse of certificate signing: |
| 24 | + |
| 25 | +- Short-lived certificates |
| 26 | +- Subscriber identity validation Extended Key Usage (EKU) for durable identity pinning |
| 27 | + |
| 28 | +### Short-lived certificates |
| 29 | + |
| 30 | +To help reduce the impact of signing misuse and abuse, Artifact Signing certificates are renewed daily and are valid for only 72 hours. In these short-lived certificates, revocation actions can be as acute as a single day or as broad as needed to cover any incidents of misuse and abuse. |
| 31 | + |
| 32 | +For example, if it's determined that a subscriber signed code that was malware or a potentially unwanted application (PUA) as defined in [How Microsoft identifies malware and potentially unwanted applications](/microsoft-365/security/defender/criteria), revocation actions can be isolated to revoking only the certificate that signed the malware or PUA. The revocation affects only the code that was signed by using that certificate on the day that it was issued. The revocation doesn't apply to any code that was signed before that day or after that day. |
| 33 | + |
| 34 | +### Subscriber identity validation EKU |
| 35 | + |
| 36 | +It's common for X.509 end-entity signing certificates to be renewed on a regular timeline to ensure key hygiene. Due to Artifact Signing's *daily certificate renewal*, pinning trust or validation to an end-entity certificate that uses certificate attributes (for example, the public key) or a certificate's *thumbprint* (the hash of the certificate) isn't durable. Also, Subject Distinguished Name (subject DN) values can change over the lifetime of an identity or organization. |
| 37 | + |
| 38 | +To address these issues, Artifact Signing provides a durable identity value in each certificate that's associated with the subscription's identity validation resource. The durable identity value is a custom EKU that has the prefix `1.3.6.1.4.1.311.97.` and is followed by more octet values that are unique to the identity validation resource that's used on the certificate profile. Here are some examples: |
| 39 | + |
| 40 | +- **Public Trust identity validation example** |
| 41 | + |
| 42 | + A value of `1.3.6.1.4.1.311.97.990309390.766961637.194916062.941502583` indicates an Artifact Signing subscriber that uses Public Trust identity validation. The `1.3.6.1.4.1.311.97.` prefix is the Artifact Signing Public Trust code signing type. The `990309390.766961637.194916062.941502583` value is unique to the subscriber's identity validation for Public Trust. |
| 43 | + |
| 44 | +- **Private Trust identity validation example** |
| 45 | + |
| 46 | + A value of `1.3.6.1.4.1.311.97.1.3.1.29433.35007.34545.16815.37291.11644.53265.56135` indicates an Artifact Signing subscriber that uses Private Trust identity validation. The `1.3.6.1.4.1.311.97.1.3.1.` prefix is the Artifact Signing Private Trust code signing type. The `29433.35007.34545.16815.37291.11644.53265.56135` value is unique to the subscriber's identity validation for Private Trust. |
| 47 | + |
| 48 | + Because you can use Private Trust identity validations for Windows Defender Application Control (WDAC) code integrity (CI) policy signing, they have a different EKU prefix: `1.3.6.1.4.1.311.97.1.4.1.`. But the suffix values match the durable identity value for the subscriber's identity validation for Private Trust. |
| 49 | + |
| 50 | +> [!NOTE] |
| 51 | +> You can use durable identity EKUs in WDAC CI policy settings to pin trust to an identity in Artifact Signing. For information about creating WDAC policies, see [Use signed policies to protect Windows Defender Application Control against tampering](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering) and [Windows Defender Application Control Wizard](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard). |
| 52 | +
|
| 53 | +All Artifact Signing Public Trust certificates also contain the `1.3.6.1.4.1.311.97.1.0` EKU to be easily identified as a publicly trusted certificate from Artifact Signing. All EKUs are provided in addition to the code signing EKU (`1.3.6.1.5.5.7.3.3`) to identify the specific usage type for certificate consumers. The only exception is certificates that are the Artifact Signing Private Trust CI Policy certificate profile type, in which no code signing EKU is present. |
| 54 | + |
| 55 | +## Zero-touch certificate lifecycle management |
| 56 | + |
| 57 | +Artifact Signing aims to simplify signing as much as possible for each subscriber. A major part of simplifying signing is to provide a fully automated certificate lifecycle management solution. The Artifact Signing zero-touch certificate lifecycle management feature automatically handles all standard certificate actions for you. |
| 58 | + |
| 59 | +It includes: |
| 60 | + |
| 61 | +- Secure key generation, storage, and usage in FIPS 140-2 Level 3 hardware crypto modules that the service manages. |
| 62 | +- Daily renewals of certificates to ensure that you always have a valid certificate to use to sign your certificate profile resources. |
| 63 | + |
| 64 | +Every certificate that you create and issue is logged in the Azure portal. You can view logging data feeds that include certificate serial number, thumbprint, created date, expiry date, and status (for example, **Active**, **Expired**, or **Revoked**) in the portal. |
| 65 | + |
| 66 | +> [!NOTE] |
| 67 | +> Artifact Signing does *not* support importing or exporting private keys and certificates. All certificates and keys that you use in Artifact Signing are managed inside FIPS 140-2 Level 3 operated hardware crypto modules. |
| 68 | +
|
| 69 | +## Time stamp countersignatures |
| 70 | + |
| 71 | +The standard practice in signing is to countersign all signatures with an RFC 3161-compliant time stamp. Because Artifact Signing uses short-lived certificates, time stamp countersigning is critical for a signature to be valid beyond the life of the signing certificate. A time stamp countersignature provides a cryptographically secure time stamp token from a Time Stamping Authority (TSA) that meets the standards of the Code Signing Baseline Requirements (CSBRs). |
| 72 | + |
| 73 | +A countersignature provides a reliable date and time of when signing occurred. If the time stamp countersignature is inside the signing certificate's validity period and the TSA certificate's validity period, the signature is valid. It's valid long after the signing certificate and the TSA certificate expire (unless either are revoked). |
| 74 | + |
| 75 | +Artifact Signing provides a generally available TSA endpoint at `http://timestamp.acs.microsoft.com`. We recommend that all Artifact Signing subscribers use this TSA endpoint to countersign any signatures they produce. |
| 76 | + |
| 77 | +## Active monitoring |
| 78 | + |
| 79 | +Artifact Signing passionately supports a healthy ecosystem by using active threat intelligence monitoring to constantly look for cases of misuse and abuse of Artifact Signing subscribers' Public Trust certificates. |
| 80 | + |
| 81 | +- For a confirmed case of misuse or abuse, Artifact Signing immediately takes the necessary steps to mitigate and remediate any threats, including targeted or broad certificate revocation and account suspension. |
| 82 | + |
| 83 | +- You can complete revocation actions directly in the Azure portal for any certificates that are logged under a certificate profile that you own. |
| 84 | + |
| 85 | +## Next step |
| 86 | + |
| 87 | +>[!div class="nextstepaction"] |
| 88 | +>[Set up Artifact Signing](./quickstart.md) |
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments