Please add support for Azure Trusted Signing in the Certificate Signing extension. ATS has everything for signing clients in one subscription that costs about 75% less than doing Azure Key Vault and a third party cert. As a proof-of-concept, I created an ATS account and manually signed a downloaded Support client and it worked.
We've been a ScreenConnect on-premises customer for many years and strongly support this feature request.
Why this matters:
Since Azure Trusted Signing became available in the EU (West Europe region), it's now a viable and cost-effective option for European businesses. The current Certificate Signing extension only supports Azure Key Vault, which requires purchasing a separate OV/EV certificate from a third-party CA (~€350-500/year) plus Key Vault Premium costs for HSM storage.
Azure Trusted Signing provides everything in one subscription for approximately €108/year - that's roughly 75% less as the original poster mentioned.
Our situation:
We have multiple developers who need to sign installers. Azure Trusted Signing integrates with Azure AD, making team access management straightforward through existing security groups. With the current Azure Key Vault approach, we'd need to manage separate certificate procurement, renewal cycles, and HSM key storage.
Suggested implementation:
As mentioned by c g, support for a custom command line tool with placeholder variables would be a flexible solution. Something like:
{SignToolPath} sign /dlib {AzureDlib} /dmdf {MetadataFile} {InstallerPath}This would allow partners to use Azure Trusted Signing, or any other signing solution that works via command line tools.
The business case is clear:
Please prioritize this feature. The current approach feels like it's pushing on-premises customers toward more expensive solutions unnecessarily.
Support for a custom command line tool should be added with placeholder variables for the executable to be signed. ConnectWise is forcing people to use Azure key vault, since nowadays created certificates have the private key either on a USB hardware token or in a HSM.