We use Advanced Installer and at the moment we sign the .exe and installer package with a Standard Code Sign Certificate for token using a Safenet USB token. We want to move to the cloud and use Azure Key Vault there. Azure Key Vault needs a HSM certificate and we need to buy a new one. Is it possible to switch from token to HSM and will the old deployed Windows Services signed with the token certificate accept new update packages signed with the new HSM certificate?
As far as I understand it, the private key is stored on the usb token and we can’t get it, so HSM will use a new private key?
We use GlobalSign certificates.
Source: Windows Questions