Azure App Service Team Blog

How the App Service team functions

FAQ : App Service Certificates

Here is a list of commonly asked questions for App Service Certificates.

How do I purchase and configure a new SSL certificate in Azure for my web app?

To learn how to purchase and set up an SSL certificate for your App Service web app, see Add an SSL certificate to your App Service app.

Certificate errors shown when enforcing HTTPS?

If your web app gives you certificate validation errors, it could be due to :

  • Using a self-signed certificate
  • You may have left out intermediate certificates when you export your certificate to the PFX file.
  • You are using a domain validated SSL , the domain host name must be added to your web app

My SSL certificate is not being auto-renewed ?

All App Service certificates issued prior to March 31st 2017 will receive an email to re-verify their domain at the time of renewal even if the auto-renewal is enabled for your certificate.This is a result of change in GoDaddy policy.  Please check your email and complete this one-time domain verification to continue to auto-renew the SSL certificate. Also , note that GoDaddy does require you to verify your domain once every three years and you will receive a email once every three years  to verify your domain.

Can I bring my own SSL certificate and how do I upload/configure it for my web app?

Yes , you can bring your own SSL certificate. To learn how to upload and set up an existing custom SSL certificate, see Bind an existing custom SSL certificate to an Azure web app.

My App Service certificate is flagged for fraud. How do I resolve this?

During the domain verification of an App Service certificate purchase, you might see the following message: 

“Your certificate has been flagged for possible fraud. The request is currently under review. If the certificate does not become usable within 24 hours, please contact Azure Support.”

As the message indicates, this fraud verification process might take up to 24 hours to complete. During this time, you’ll continue to see the message.

If your App Service certificate continues to show this message after 24 hours, please run the following PowerShell script. The script contacts the certificate provider directly to resolve the issue.

Set-AzureRmContext -SubscriptionId <subId>
$actionProperties = @{
    "Name"= "<Customer Email Address>"
Invoke-AzureRmResourceAction -ResourceGroupName "<App Service Certificate Resource Group Name>" -ResourceType Microsoft.CertificateRegistration/certificateOrders -ResourceName "<App Service Certificate Resource Name>" -Action resendRequestEmails -Parameters $actionProperties -ApiVersion 2015-08-01 -Force   

How do I rekey and sync App Service SSL certificate on my web app?

You can rekey your certificate using a new private key by following the details instructions in this article.

Can I export my App Service certificate for use with other Azure services such as Cloud Services and so forth?

We’ve gotten a lot of feedback from customers asking for this ability, so we now allow you to export your certificate as a PFX file so that you can use it across multiple subscriptions and Azure services. See this blog post for more information.

Can I export my App Service certificate to be used outside of Azure, such as for a website hosted elsewhere?

App Service certificates are to be considered Azure resources and are not intended for use outside of your Azure services. You cannot export them for use outside of Azure.

Can I use my App Service certificate in a different subscription in Azure?

You can migrate your App Service Certificate within the Azure portal. You can also export it as a PFX file for use in another subscription. See this blog post for more information.

I have a Free or a DreamSpark Azure subscription. Can I purchase an App Service certificate with my credits?

Because Free and DreamSpark Azure credits are free credits, they cannot be used to purchase App Service certificates.

Can I get a refund if I purchase an SSL certificate and then decide that I no longer need it?

Unfortunately, we cannot refund you on the purchase of an SSL certificate.

How do I update an SNI or IP based SSL binding on web app ?

Note : When the binding is updated , please wait for 24 hours for the change to reflect in the Azure portal . To avoid downtime with your web app  , make sure you updated the binding for SSL at least a week prior to the expiration of your current SSL certificate.  

Login to the Azure portal and select your web app. To update and SSL binding :

  • Upload a new certificate
  • Click “Add binding” in SSL certificates setting for your web app
  • Select your domain
  • Select your certificate
  • Click Add binding. Note that by adding an SSL binding with a hostname used in another binding will override the existing binding.