Buy and manage App Service certificates

2025-06-06

This article shows you how to create an Azure App Service certificate and perform management tasks like renewing, synchronizing, and deleting certificates. After you have an App Service certificate, you can then import it into an App Service app. An App Service certificate is a private certificate that Azure manages. It combines the simplicity of automated certificate management and the flexibility of renewal and export options.

If you purchase an App Service certificate from Azure, Azure manages the following tasks:

Handles the purchase process from GoDaddy.
Performs ___domain verification of the certificate.
Maintains the certificate in Azure Key Vault.
Manages certificate renewal.
Synchronizes the certificate automatically with the imported copies in App Service apps.

After you upload a certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination. Internally, it's called a webspace. That way, the certificate is accessible to other apps in the same resource group and region combination. Certificates uploaded or imported to App Service are shared with app services in the same deployment unit.

Prerequisites

Create an App Service app. The app's App Service plan must be in the Basic, Standard, Premium, or Isolated tier. To update the tier, see Scale up an app.

Currently, App Service certificates aren't supported in Azure national clouds.

Buy and configure an App Service certificate

Buy the certificate

Go to the Create App Service certificate page to start the purchase.

Note

GoDaddy issues App Service certificates that are purchased from Azure. For some domains, you must explicitly allow GoDaddy as a certificate issuer by creating a Certification Authority Authorization ___domain record with the value 0 issue godaddy.com.

To configure the certificate, use the following table. When you're finished, select Review + Create, and then select Create.

Setting	Description
Subscription	The Azure subscription to associate with the certificate.
Resource Group	The resource group that contains the certificate. You can either create a new resource group or select the same resource group as your App Service app.
SKU	Determines the type of certificate to create, either a standard certificate or a wildcard certificate.
Naked ___domain hostname	Specify the root ___domain. The issued certificate provides security for both the root ___domain and the `www` subdomain. In the issued certificate, the Common Name field specifies the root ___domain. The Subject Alternative Name field specifies the `www` ___domain. To provide security for only a subdomain, specify the fully qualified ___domain name for the subdomain, for example, `mysubdomain.contoso.com`.
Certificate name	The friendly name for your App Service certificate.
Enable auto renewal	Select whether to automatically renew the certificate before expiration. Each renewal extends the certificate expiration by one year. The cost is charged to your subscription.

After the deployment is finished, select Go to resource.

Store the certificate in Azure Key Vault

Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. For App Service certificates, we recommend that you use Key Vault. After you finish the certificate purchase process, you must complete a few more steps before you start using the certificate.

On the App Service Certificates page, select the certificate. On the certificate pane, select Certificate Configuration > Step 1: Store.
On the Key Vault Status page, choose Select from Key Vault.

If you create a new vault, set up the vault based on the following table. Make sure to use the same subscription and resource group as your App Service app.

Setting	Description
Resource group	Recommended: The same resource group as your App Service certificate.
Key vault name	A unique name that uses only alphanumeric characters and dashes.
Region	The same ___location as your App Service app.
Pricing tier	For information, see Azure Key Vault pricing details.
Days to retain deleted vaults	The number of days, after deletion, that objects remain recoverable. (See Azure Key Vault soft-delete overview.) Set a value between 7 and 90.
Purge protection	Enabling this option forces all deleted objects to remain in soft-deleted state for the entire duration of the retention period.

Select Next and then select Vault access policy. Currently, App Service certificates support only Key Vault access policies, not the role-based access control model.
Select Review + create, and then select Create.
After the key vault is created, don't select Go to resource. Wait for the Select key vault from Azure Key Vault page to reload.
Choose Select.
After you select the vault, close the Key Vault Repository page. The Step 1: Store option should show a green check mark to indicate success. Keep the page open for the next step.

Confirm ___domain ownership

On the same Certificate Configuration page as in the previous section, select Step 2: Verify.
Select App Service Verification. Because you mapped the ___domain to your web app earlier in this section, the ___domain is already verified. To finish this step, select Verify, and then select Refresh until the message Certificate is Domain Verified appears.

The following ___domain verification methods are supported:

Method	Description
App Service verification	The most convenient option when the ___domain is already mapped to an App Service app in the same subscription because the App Service app verified the ___domain ownership. Review the last step in Confirm ___domain ownership.
Domain verification	Confirm an App Service ___domain that you purchased from Azure. Azure automatically adds the verification TXT record for you and finishes the process.
Mail verification	Confirm the ___domain by sending an email to the ___domain administrator. Instructions are provided when you select the option.
Manual verification	Confirm the ___domain by using either a Domain Name System (DNS) TXT record or an HTML page. (The latter applies only to Standard certificates. See the following note.) The steps are provided after you select the option. The HTML page option doesn't work for web apps with HTTPS Only enabled. For ___domain verification via DNS TXT record for either the root ___domain (for example, `contoso.com`) or the subdomain (for example, `www.contoso.com` or `test.api.contoso.com`) and regardless of the certificate SKU, you need to add a TXT record at the root ___domain level. Use `@` for the name and the ___domain verification token for the value in your DNS record.

Important

With the Standard certificate, you get a certificate for the requested top-level ___domain and the www subdomain, for example, contoso.com and www.contoso.com. App Service verification and manual verification both use HTML page verification, which doesn't support the www subdomain when you issue, rekey, or renew a certificate. For the Standard certificate, use ___domain verification and mail verification to include the www subdomain with the requested top-level ___domain in the certificate.

After your certificate is ___domain verified, you can import it into an App Service app.

Renew an App Service certificate

By default, App Service certificates have a one-year validity period. Before the expiration date, you can automatically or manually renew App Service certificates in one-year increments. The renewal process effectively gives you a new App Service certificate with the expiration date extended to one year from the existing certificate's expiration date.

As of September 23, 2021, if you haven't verified the ___domain in the last 395 days, App Service certificates require ___domain verification during a renewal, autorenewal, or rekey process. The new certificate order remains in Pending issuance mode during the renewal, autorenewal, or rekey process until you finish the ___domain verification.

Unlike the free App Service managed certificate, purchased App Service certificates don't have automated ___domain reverification. Failure to verify ___domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review Confirm ___domain ownership.

The renewal process requires that the service principal for App Service has the required permissions on your key vault. These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.

To change the automatic renewal setting for your App Service certificate at any time, on the App Service Certificates page, select the certificate.
On the left pane, select Auto Renew Settings.
Select On or Off, and then select Save.

If you turn on automatic renewal, certificates can start automatically renewing 32 days before expiration.
To manually renew the certificate instead, select Manual Renew. You can request to manually renew your certificate 60 days before expiration, but certificates can't be issued for longer than 397 days.
After the renewal operation finishes, select Sync.

The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

If you don't select Sync, App Service automatically syncs your certificate within 24 hours.

Rekey an App Service certificate

If you think your certificate's private key is compromised, you can rekey your certificate. This action rotates the certificate with a new certificate issued from the certificate authority.

The rekey process requires that the service principal for App Service has the required permissions on your key vault. These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.

On the App Service Certificates page, select the certificate. On the left pane, select Rekey and Sync.
To start the process, select Rekey. This process can take 1 to 10 minutes to finish.
You might also be required to reconfirm ___domain ownership.
After the rekey operation finishes, select Sync.

The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

If you don't select Sync, App Service automatically syncs your certificate within 24 hours.

Export an App Service certificate

Because an App Service certificate is a Key Vault secret, you can export a copy as a .pfx file, which you can use for other Azure services or outside of Azure.

The exported certificate is an unmanaged artifact. App Service doesn't sync such artifacts when the App Service certificate is renewed. You must export and install the renewed certificate where necessary.

On the App Service Certificates page, select the certificate.
On the left pane, select Export Certificate.
Select Open Key Vault Secret.
Select the certificate's current version.
Select Download as a certificate.

Run the following commands in Azure Cloud Shell, or run them locally if you installed the Azure CLI. Replace the placeholders with the names that you used when you bought the App Service certificate.

secretname=$(az resource show \
    --resource-group <group-name> \
    --resource-type "Microsoft.CertificateRegistration/certificateOrders" \
    --name <app-service-cert-name> \
    --query "properties.certificates.<app-service-cert-name>.keyVaultSecretName" \
    --output tsv)

az keyvault secret download \
    --file appservicecertificate.pfx \
    --vault-name <key-vault-name> \
    --name $secretname \
    --encoding base64

$ascName = <app-service-cert-name>
$ascResource = Get-AzResource -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -Name $ascName -ResourceGroupName <group-name> -ExpandProperties
$keyVaultSecretName = $ascResource.Properties.certificates[0].$ascName.KeyVaultSecretName
$CertBase64 = Get-AzKeyVaultSecret -VaultName <key-vault-name> -Name $keyVaultSecretName -AsPlainText
$CertBytes = [Convert]::FromBase64String($CertBase64)
Set-Content -Path appservicecertificate.pfx -Value $CertBytes -AsByteStream

The downloaded .pfx file is a raw PKCS12 file that contains both the public and private certificates and has an import password that's an empty string. You can locally install the file by leaving the password field empty. You can't upload the file as it is into App Service because the file isn't password protected.

Use Azure Advisor for App Service certificates

An App Service certificate is integrated with Azure Advisor to provide reliability recommendations for when your certificate requires ___domain verification. If you haven't verified the ___domain in the last 395 days, you must verify ___domain ownership for your certificate during the renewal, autorenewal, or rekey process. To make sure that you don't miss any certificate that requires verification or risk any certificate from expiring, use Advisor to view and set up alerts for the App Service certificate.

View Advisor recommendations

To view Advisor recommendations for the App Service certificate:

Go to the Azure Advisor page.
On the left pane, select Recommendations > Reliability.
Select the filter option Type equals and search for App Service Certificates in the dropdown list. If the value doesn't exist in the dropdown list, that means no recommendation was generated for your App Service certificate resources because none of them requires ___domain ownership verification.

Create Advisor alerts

You create Advisor alerts on new recommendations by using different configurations. To set up Advisor alerts specifically for an App Service certificate so that you can get notifications when your certificate requires ___domain ownership validation:

Go to the Azure Advisor page.
On the left pane, select Monitoring > Alerts (Preview).
Select + New Advisor Alert on the bar at the top to open the Create Advisor Alerts pane.
Under Condition, select the following option:

Configured by Recommendation type

Recommendation type Domain verification required to issue your App Service certificate.
Fill out the rest of the required fields, and then select Create alert.

Configured by	Recommendation type
Recommendation type	Domain verification required to issue your App Service certificate.

Delete an App Service certificate

If you delete an App Service certificate, the delete operation is irreversible and final. The result is a revoked certificate. Any binding in App Service that uses the certificate becomes invalid.

On the App Service Certificates page, select the certificate.
On the left pane, select Overview > Delete.
When the confirmation box opens, enter the certificate name, and then select OK.

Frequently asked questions

Why doesn't my App Service certificate have a value in Key Vault?

Your App Service certificate is probably not yet ___domain verified. Until ___domain ownership is confirmed, your App Service certificate isn't ready for use. As a key vault secret, it maintains an Initialize tag, and its value and content type remain empty. When ___domain ownership is confirmed, the key vault secret shows a value and a content type, and the tag changes to Ready.

Why can't I export my App Service certificate with PowerShell?

Your App Service certificate is probably not yet ___domain verified. Until ___domain ownership is confirmed, your App Service certificate isn't ready for use.

What changes does the App Service certificate creation process make to my existing key vault?

The creation process makes the following changes:

Adds two access policies in the vault:
- Microsoft Azure App Service (or Microsoft.Azure.WebSites)
- Microsoft certificate reseller CSM Resource Provider (or Microsoft.Azure.CertificateRegistration)
Creates a delete lock called AppServiceCertificateLock on the vault to prevent accidental deletion of the key vault.

Share via