Artifact Signing
A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)
Should be working today.
Azure Artifact Signing: Public Trust certificate profile creation fails with terminal provisioning state "Failed" (UnknownError) despite Completed organization identity validation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 46%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
kasinc
20
Reputation points
Service
Azure Artifact Signing (formerly Trusted Signing) — certificate profile creation via the Azure portal. Account in East US, Basic SKU, on a paid (pay-as-you-go) subscription, for a US-based Delaware C-Corporation.
Scenario
I am setting up Authenticode code signing for a publicly distributed Windows application. Setup completed so far:
Created the Artifact Signing account (East US, Basic).
Assigned myself the Artifact Signing Identity Verifier role on the account.
Created an Organization / Public identity validation and completed it fully: the AU10TIX document verification flow finished and the email verification link sent to the primary contact was clicked before expiry. The validation status shows Completed, and the certificate subject preview (CN/O/STREET/L/S/C/PC) is populated correctly.
Assigned an app registration the Artifact Signing Certificate Profile Signer role on the account for CI signing.
I am now trying to create a production Public Trust certificate profile against the completed identity validation, with Program type None and the subject fields auto-populated read-only from the validation.
Result
Every production Public Trust profile creation is Accepted, then terminates roughly 15 seconds later in provisioning state Failed. The Activity Log shows the same error for every attempt (operation Microsoft.CodeSigning/codeSigningAccounts/certificateProfiles/write):
{
"status": "Failed",
"error": {
"code": "ResourceOperationFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "UnknownError",
"message": "Some error occured. Correlation id - <GUID>. Timestamp - <timestamp>."
}
]
}
}
There is no subStatus and no further detail. Attempts to delete the failed profiles also terminate Failed with the same error shape, leaving them stranded with status Unknown in the profiles list.
Critically: a Public Trust Test certificate profile in the same account, created by the same operator, succeeds and shows Active.
Environment
Region: East US (supported); account and Test profile both created successfully there
Subscription: paid pay-as-you-go (not free/trial/sponsored)
Single resource group, single Artifact Signing account
Operator: subscription Owner and tenant admin, plus the explicit Artifact Signing roles noted above
Eligibility: US legal business entity (within supported countries for Public Trust)
Troubleshooting efforts
Verified the identity validation status is Completed (not In Progress / Action Required) and that the email verification link was used before its 7-day expiry.
Retried creation with multiple distinct, rule-compliant profile names (~15 minutes apart) — all fail identically, ruling out naming.
Ruled out permissions: every create passes auth/validation and reaches Accepted before failing asynchronously, and the Public Trust Test profile creating successfully demonstrates the account, RBAC, tenant, and region wiring all work end to end.
Reviewed the form inputs: Public Trust type, Program type None, identity validation selected from the Completed validation, subject fields read-only from the validation.
Searched documentation and Q&A: found guidance for identity validation failures and account-creation failures, but nothing covering production Public Trust profile failure while Test succeeds and validation is Completed.
Supporting materials
I have the Activity Log JSON for each failed create/delete, including correlation IDs and exact timestamps for two failed create operations, plus the Identity Validation ID. I can share these privately with Microsoft staff for backend investigation.
Question
What is the backend reason that production Public Trust certificate profile creation fails with UnknownError for this account while a Public Trust Test profile succeeds and the organization identity validation shows Completed — and what is required to enable production Public Trust issuance? (Guidance on cleaning up the profiles stranded in provisioningState: Failed, whose deletes also fail, is welcome as a secondary note.)
Artifact Signing
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Meha-MSFT
1,880
Reputation points Microsoft Employee
Moderator
1 additional answer
Sort by: Most helpful
-
AI answer
2026-06-10T17:55:39.49+00:00 The backend reason for a production Public Trust certificate profile failing with
UnknownErrorwhile a Public Trust Test profile succeeds is not exposed in any public documentation. The behavior described (asynchronous failure withResourceOperationFailure→UnknownErrorand stranded profiles whose delete also fails) is not covered by the documented error codes or mitigations for Artifact Signing and cannot be diagnosed further from portal-visible data alone.From the available guidance, the only supported next steps for a scenario where:
- Identity validation status is Completed, and
- A Public Trust Test profile works, but
- A Public Trust production profile repeatedly fails with
UnknownError, and - Standard mitigations (RBAC, subscription state, identity validation status, profile naming) are already ruled out,
are to engage Azure support so the service team can inspect the backend correlation IDs and tenant/account state.
Recommended actions based on the documented support model:
- Open an Azure support ticket from the Azure portal under the subscription that owns the Artifact Signing account.
- Include:
- Artifact Signing account name and region.
- Identity Validation ID.
- Full Activity Log JSON for at least two failed
certificateProfiles/writeoperations and the failed delete attempts, including correlation IDs and timestamps. - Confirmation that a Public Trust Test profile in the same account is Active.
- Include:
- If portal support is not available on the subscription, post the details (without PII) on Microsoft Q&A using the Artifact Signing tag or on Stack Overflow using the trusted-signing tag, and provide the correlation IDs privately if requested by Microsoft staff.
- For the stranded profiles in
provisioningState: Failedwhose deletes also fail, deletion or cleanup must be handled by the service backend; there is no documented client-side remediation beyond support engagement.
These steps align with the documented guidance that Artifact Signing issues beyond the listed common error codes and mitigations, especially those involving backend
UnknownError, require direct Azure support involvement.
References:
AI-generated content may be incorrect. Read our transparency notes for more information.