Each API Management service instance is created with a default domain name that is a customer-specified subdomain of Microsoft owned domain azure-api.net, for example, contoso.azure-api.net. Default domain names are secured with a wildcard certificate owned by Microsoft issued for *.azure-api.net.
Customers who wish to use certificate pinning to improve the security of their applications must use a custom domain name and certificate which they manage, not the default certificate. Customers that pin the default certificate instead will be taking a hard dependency on the properties of a certificate they don’t control, which is not a recommended practice. As a matter of security policy, we periodically update the certificate and when we do “pinned” applications stop working.
In the future, we will provide courtesy notes about upcoming certificate updates on this blog and Twitter @AzureApiMgmt. Unfortunately, we are not always in control of the timing and might not be able to give sufficiently advanced notice. Therefore, we urge customers to configure their own custom domain names secured with their own custom certificates when they desire to use certificate pinning. Custom domain configuration steps are described here.