Azure App Service Team Blog

How the App Service team functions

FAQ : SSL certificates for Web Apps and App Service Certificates

Here is a list of commonly asked questions for App Service Certificates.

How do I purchase and configure a new SSL certificate in Azure for my web app?

To learn how to purchase and set up an SSL certificate for your App Service web app, see Add an SSL certificate to your App Service app.

I am unable to purchase an SSL certificate or App Service certificate ?

This could be caused due to one of the following reasons:

  • App Service plan is Free or Shared pricing plans. We do not support SSL for these pricing tiers.
  • Subscription does not have a valid credit card
  • Subscription offer does not support purchase an App Service certificate such as Microsoft Student offer
  • Subscription has hit the maximum limit of purchases allowed on a subscription
  • App Service certificate was marked as fraud. You will see this error “Your certificate has been flagged for possible fraud. The request is currently under review. If the certificate does not become usable within 24 hours”

Try any of these solutions based on the cause

  • Upgrade App Service plan to Standard Pricing tier for Web App
  • Add a valid credit card to your subscription if you don’t have one
  • If you are using Microsoft Student subscription or other Azure subscriptions where App Service certificate is not supported, please upgrade your subscription
  • App Service Certificates has a limit of 10 certificate purchases for Pay-As-Go and EA subscriptions types and for other subscription types the limit is 3. To increase the limit Kindly share the following details with us if you want to increase the purchase limit on your subscription for certificates:
    • Please articulate the business reason for increasing the purchase limit on your subscription.
    • Monthly spending cap on this subscription if any
    • Does the subscription have a valid credit card associated with the subscription

We shall review and evaluate your business needs internally to either approve or reject your request provided there are no other constraints to meet these needs for you.

  • If the certificate is marked as Fraud and has not been resolved after 24 hours , then follow the steps below :
    • Go to App Service certificate in Azure portal
    • Click on Certificate Configuration -> Step 2 : Verify -> Domain Verification
    • Click on Email Instructions which will send an email to GoDaddy to resolve the issue

When does my certificate get renewed?

App Service certificates are valid for one year. If Auto Renew is on for an ASC then it will be renewed automatically before it expires and just like ReKey operation, the linked App Service Apps will be moved to the new certificate. You can change this setting by clicking on ‘Auto Renew Settings’ which is on by default. You can also manually renew a certificate by clicking on Manual Renew irrespective of the current Auto Renew setting if the certificate expiration is within 90 days.

How can I Rekey and/or ReSync my app service certificate?

In order to stay compliant, many web companies need to rotate their certificates periodically. Also if a customer believes that his certificate has been compromised then he should rotate the certificate as soon as possible to minimize likelihood of the stolen certificate being used for malicious purposes. Traditionally, this requires obtaining a new certificate from the CA which is as complicated as buying a new one. Once a new certificate is created, you need to update all App Service Apps one by one manually. With ASC, we support one click ReKey. ASC allows you to ReKey a certificate unlimited number of times during its lifetime for free.

 Using Rekey and Sync option in the portal : This blade displays the current sync state. You can see the thumbprint of ASC along with the thumbprints of all App Service linked certificates. When these certificates are in sync, all thumbprints will match and when they are out of sync, one or more linked certificate thumbprints will be different from the ASC thumbprint. In order to rotate the certificate, click ReKey at the top. The ASC status will move to Rekey Certificate which may take 5-10 minutes. You dont have to click on Sync since a background task runs every 8 hours to sync the changes in the certificate. To force a sync , you can click on the Sync  button . 

App Service Certificate ReKey and Sync

I see certificate errors shown when enforcing HTTPS?

If your web app gives you certificate validation errors, it could be due to :

  • Using a self-signed certificate :  In this case avoid using Self signed certificate since we cannot verify the domain ownership . This is not supported with Azure web apps
  • Missing intermediate certificates when you export your certificate to the PFX file : In this case , recreate the PFX file and follow guidance here to make sure intermediate certiificates are also included when exporting it in PFX format.
  • Domain host name is not added to the Web app:  Please add the domain hostname to your web app as per instructions here
  • If using App Service certificate domain verification is not completed :  In this case , your certificate is not ready to be used. Please complete domain verification step as described here.

Can I get the intermediate certificates for mysite.azurewebsites.net

We support HTTPS on *.azurewebsites.net  domain name. Since this domain is owned by App Service Team , we do not share the certificate information with users for security reasons. We recommend to use a custom domain and bring your own certificate for a production application.

Domain verification is not working  for App service certificate ?

We provide alternate solution to manually verify your domain . Manual verification lets you verify domain ownership through your DNS configuration by adding a TXT record.

Follow these steps to complete Manual verification :

  1. Go to the Domain Name Service (DNS) provider for your domain name
  1. Add a Txt record for your domain with value of the domain token showed in the portal .

Wait a few minutes for DNS propagation to take place and click on Refresh button to trigger the verification.

Alternate method to manually verify is the Html Web Page method which can be used to allow the certificate authority to confirm the domain ownership of the domain the certificate is issued for.

  1. Create an HTML filenamed {Domain Verification Token}.html.
  2. Content of this file should be the value of Domain Verification Token.
  3. Upload this fileat the root of the web server hosting your domain
  4. Click on Refresh button to check the Certificate status. It might take few minutes for verification to complete.

For example, if you are buying a standard certificate for azure.com with Domain Verification Token ‘1234abcd’ then a web request made to http://azure.com/1234abcd.html should return 1234abcd.

 Important notice : A certificate order has only 15 days to complete domain verification operation, after 15 days the certificate is denied by the certificate authority, you are not charged for the certificate. Please delete this certificate and try again.

My SSL certificate is not being auto-renewed ?

All App Service certificates issued prior to March 31st 2017 will receive an email to re-verify their domain at the time of renewal even if the auto-renewal is enabled for your certificate.This is a result of change in GoDaddy policy.  Please check your email and complete this one-time domain verification to continue to auto-renew the SSL certificate. Also , note that GoDaddy does require you to verify your domain once every three years and you will receive a email once every three years  to verify your domain.

Can I bring my own SSL certificate and how do I upload/configure it for my web app?

Yes , you can bring your own SSL certificate. To learn how to upload and set up an existing custom SSL certificate, see Bind an existing custom SSL certificate to an Azure web app.

My App Service certificate is flagged for fraud. How do I resolve this?

During the domain verification of an App Service certificate purchase, you might see the following message: 

“Your certificate has been flagged for possible fraud. The request is currently under review. If the certificate does not become usable within 24 hours, please contact Azure Support.”

As the message indicates, this fraud verification process might take up to 24 hours to complete. During this time, you’ll continue to see the message. If the certificate is marked as Fraud and has not been resolved after 24 hours , then follow the steps below :

  • Go to App Service certificate in Azure portal
  • Click on Certificate Configuration -> Step 2 : Verify -> Domain Verification
  • Click on Email Instructions which will send an email to GoDaddy to resolve the issue .

My App Service Certificate is still showing old secret value. How can I force a sync with the new secret in my Key Vault’ ?

You can rekey your certificate using a new private key by following the details instructions in this article.

How do I buy EV SSL for using with Azure web app

App Service certificate does not support purchasing EV SSL from Azure portal. But there are other options to use EV SSL with Web apps. For details , click here

Can I export my App Service certificate for use with other Azure services such as Cloud Services and so forth?

We’ve gotten a lot of feedback from customers asking for this ability, so we now allow you to export your certificate as a PFX file so that you can use it across multiple subscriptions and Azure services. See this blog post for more information.

Can I export my App Service certificate to be used outside of Azure, such as for a website hosted elsewhere?

App Service Certificates can be used for any Azure or non-Azure Services and is not limited to App Services. To do so , you need to create a local PFX copy of an App Service certificate that you can use it anywhere you want. For more information, read Creating a local PFX copy of an App Service Certificate.

Can I use my App Service certificate in a different subscription in Azure?

You can migrate your App Service Certificate within the Azure portal. You can also export it as a PFX file for use in another subscription. See this blog post for more information.

I have a Free or a DreamSpark Azure subscription. Can I purchase an App Service certificate with my credits?

Because Free and DreamSpark Azure credits are free credits, they cannot be used to purchase App Service certificates.

Can I get a refund if I purchase an SSL certificate and then decide that I no longer need it?

Unfortunately, we cannot refund you on the purchase of an SSL certificate.

How do I update an SNI or IP based SSL binding on web app ?

Note : When the binding is updated , please wait for 24 hours for the change to reflect in the Azure portal . To avoid downtime with your web app  , make sure you updated the binding for SSL at least a week prior to the expiration of your current SSL certificate.  

Login to the Azure portal and select your web app. To update and SSL binding :

  • Upload a new certificate
  • Click “Add binding” in SSL certificates setting for your web app
  • Select your domain
  • Select your certificate
  • Click Add binding. Note that by adding an SSL binding with a hostname used in another binding will override the existing binding.