|
| 1 | +--- |
| 2 | +title: App Service Managed Certificate (ASMC) Changes – July 28, 2025 |
| 3 | +description: Learn about the upcoming changes to App Service Managed Certificates due to DigiCert's validation platform update and how to mitigate impact. |
| 4 | +author: yutanglin16 |
| 5 | +ms.author: yutlin |
| 6 | +ms.service: azure-app-service |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 07/28/2025 |
| 9 | +--- |
| 10 | + |
| 11 | +# App Service Managed Certificate (ASMC) changes – July 28, 2025 |
| 12 | + |
| 13 | +Starting July 28, 2025, Azure App Service Managed Certificates (ASMC) are subject to new issuance and renewal requirements due to DigiCert’s migration to a new validation platform. This change is driven by industry-wide compliance with Multi-Perspective Issuance Corroboration (MPIC). |
| 14 | + |
| 15 | +For a detailed explanation of the underlying changes at DigiCert, refer to [changes to the managed Transport Layer Security (TLS) feature](../security/fundamentals/managed-tls-changes.md). |
| 16 | + |
| 17 | +## What’s changing |
| 18 | + |
| 19 | +- **Validation method update**: ASMC now uses HTTP Token validation for both apex and subdomains. Previously, subdomains were validated using CNAME records, which did not require public access. With HTTP Token, DigiCert must reach a specific endpoint on your app to verify domain ownership. |
| 20 | + |
| 21 | + App Service automatically places the required token at the correct path for validation. This process applies to both initial certificate issuance and renewals, meaning: |
| 22 | + |
| 23 | + - The customer experience for requesting an ASMC or proving domain ownership remains unchanged. |
| 24 | + - All API and CLI request payloads for ASMC creation or renewal are unaffected. |
| 25 | + - No customer action is needed to place or manage the token. |
| 26 | + |
| 27 | + > [!IMPORTANT] |
| 28 | + > While App Service continues to handle token placement automatically during renewals, DigiCert must still reach the validation endpoint on your app. Public access is still required at the time of renewal. If your app is not publicly accessible, renewal fails even if the token is correctly placed. |
| 29 | +
|
| 30 | +## Impacted scenarios |
| 31 | + |
| 32 | +You can't create or renew ASMCs if: |
| 33 | +- Your app is not publicly accessible. |
| 34 | +- You use Azure Traffic Manager with nested or external endpoints. |
| 35 | +- You rely on `*.trafficmanager.net` domains. |
| 36 | + |
| 37 | +Existing certificates remain valid until expiration (up to 6 months), but will not renew automatically if your configuration is unsupported. |
| 38 | + |
| 39 | +## Mitigation guidance |
| 40 | + |
| 41 | +### Scenario 1: Site is not publicly accessible |
| 42 | + |
| 43 | +Apps that are not accessible from the public internet will not be able to create or renew ASMCs. This includes restrictions via private endpoints, firewalls, IP restrictions, client certificates, authentication gateways, or custom access policies. |
| 44 | + |
| 45 | +We recognize that making applications publicly accessible may conflict with customer security policies or introduce risk. The recommended mitigation is to replace ASMC with a custom certificate and update the TLS/SSL binding for your custom domain. |
| 46 | + |
| 47 | +**Recommended steps:** |
| 48 | + |
| 49 | +1. **Acquire a certificate for your custom domain** |
| 50 | + You may use any certificate provider that meets your security and operational requirements. The certificate should be compatible with Azure App Service and ideally stored in Azure Key Vault for easier management. |
| 51 | + |
| 52 | +2. **Add the certificate to the site** |
| 53 | + After acquiring a certificate for your custom domain, you need to upload it to your App Service app and configure it for use. After acquiring a certificate for your custom domain, you need to upload it to your App Service app and configure it for use. |
| 54 | + > [!TIP] |
| 55 | + > Make sure to [authorized App Service to read the certificates from Key vault](configure-ssl-certificate.md#authorize-app-service-to-read-from-the-vault). Use the specific identity listed in the documentation and not the Managed Identity of the site. |
| 56 | + - [REST API: Import KV certificate to site](/rest/api/appservice/certificates/create-or-update) |
| 57 | + - [CLI: Import KV certificate to site](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-import) |
| 58 | + |
| 59 | +4. **Update the custom domain binding** |
| 60 | + > [!IMPORTANT] |
| 61 | + > **To avoid any service downtime, do not delete the TLS/SSL binding**. You can update the binding with the new certificate thumbprint or name that was added to the web app without deleting the current binding. |
| 62 | +
|
| 63 | + - [REST API: Update hostname binding](/rest/api/appservice/web-apps/create-or-update-host-name-binding) |
| 64 | + - [CLI: Update hostname binding](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-bind) |
| 65 | + |
| 66 | +5. **Remove other dependencies on ASMC** |
| 67 | + |
| 68 | + - **Custom domain TLS/SSL bindings** |
| 69 | + Determine whether ASMCs are actively used for TLS/SSL bindings in your web app's custom domain configuration. If so, follow the steps above to replace the certificate and update the binding. |
| 70 | + |
| 71 | + - **Certificate used in application code** |
| 72 | + Certificates may be used in application code for tasks such as authentication. If your app uses the `WEBSITE_LOAD_CERTIFICATES` setting to load ASMCs, update your code to use the new certificate instead. |
| 73 | + |
| 74 | +6. **Delete ASMC resources** |
| 75 | + After confirming that your environment or services no longer depend on ASMC, delete the ASMCs associated with your site. |
| 76 | + Deleting ASMCs helps prevent accidental reuse, which could result in service downtime when the certificate fails to renew. |
| 77 | + |
| 78 | + - [REST API: Delete Certificate](/rest/api/appservice/certificates/delete) |
| 79 | + - [CLI: Delete certificate](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-delete) |
| 80 | + |
| 81 | +**Temporary mitigation: DigiCert IP allowlisting** |
| 82 | +Some customers may choose to allowlist [DigiCert’s domain validation IPs](https://knowledge.digicert.com/alerts/ip-address-domain-validation) as a short-term workaround. This can help buy time to move away from using ASMC for websites that aren’t publicly accessible, especially given the short notice of the change. |
| 83 | +> [!NOTE] |
| 84 | +> Allowlisting DigiCert's IP isn’t an official or supported long-term solution. Microsoft’s stance remains that **public access is required** to avoid potential service disruptions. Consider the following: |
| 85 | +> |
| 86 | +> - DigiCert manages its own IPs and may change them without notice. |
| 87 | +> - Microsoft doesn’t control DigiCert’s infrastructure and can’t guarantee the documentation stay up to date. |
| 88 | +> - Microsoft doesn’t provide alerts if DigiCert updates its IPs. |
| 89 | +> - Use this approach at your own risk. |
| 90 | +
|
| 91 | +For guidance on configuring access restrictions, refer to [set up Azure App Service access restrictions](app-service-ip-restrictions.md). |
| 92 | + |
| 93 | + |
| 94 | +### Scenario 2: Azure Traffic Manager with nested or external endpoints |
| 95 | + |
| 96 | +Only “Azure Endpoints” are supported. “Nested” and “External” endpoints are not supported for ASMC validation. |
| 97 | + |
| 98 | +**Recommended mitigation:** |
| 99 | + |
| 100 | +- Switch to Azure Endpoints or use a custom domain secured with a custom certificate. |
| 101 | +- For guidance on using App Service as an Azure Traffic Manager endpoint, refer to [App Service and Traffic Manager Profiles](web-sites-traffic-manager.md#app-service-and-traffic-manager-profiles). |
| 102 | + |
| 103 | + |
| 104 | +### Scenario 3: Use of trafficmanager.net domains |
| 105 | + |
| 106 | +Certificates for `*.trafficmanager.net` domains are not supported. If your app relies on this domain and uses ASMC, you need to remove that dependency and secure your app using a custom domain and certificate. |
| 107 | + |
| 108 | +**Recommended steps:** |
| 109 | + |
| 110 | +1. **Add a custom domain to the site** |
| 111 | + You can configure a custom domain that points to your `trafficmanager.net` endpoint and secure it with your own certificate. |
| 112 | + |
| 113 | + - If the custom domain is not yet live or does not currently serve traffic, refer to [set up custom domain name for your app](app-service-web-tutorial-custom-domain.md). |
| 114 | + - If the domain is already active and serving traffic, refer to [migrate an active domain](manage-custom-dns-migrate-domain.md). |
| 115 | + |
| 116 | + > [!IMPORTANT] |
| 117 | + > If the site restricts public access, do not use ASMC to secure the custom domain. This scenario is impacted by the validation change and will result in certificate issuance or renewal failure. |
| 118 | +
|
| 119 | +3. **Acquire a certificate for the custom domain** |
| 120 | + You may use any certificate provider that meets your security and operational requirements. The certificate should be compatible with Azure App Service and ideally stored in Azure Key Vault for easier management. |
| 121 | + |
| 122 | +4. **Add the certificate to the site** |
| 123 | + > [!TIP] |
| 124 | + > Make sure to [authorized App Service to read the certificates from Key vault](configure-ssl-certificate.md#authorize-app-service-to-read-from-the-vault). Use the specific identity listed in the documentation—not the Managed Identity of the site. |
| 125 | + - [REST API: Import KV certificate to site](/rest/api/appservice/certificates/create-or-update) |
| 126 | + - [CLI: Import KV certificate to site](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-import) |
| 127 | + |
| 128 | +5. **Create a custom domain binding** |
| 129 | + |
| 130 | + - [REST API: Create hostname binding](/rest/api/appservice/web-apps/create-or-update-host-name-binding) |
| 131 | + - [CLI: Update Create hostname binding](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-bind) |
| 132 | + |
| 133 | +6. **Remove other dependencies on ASMC** |
| 134 | + |
| 135 | + - **Custom domain TLS/SSL bindings** |
| 136 | + Determine whether ASMCs are actively used for TLS/SSL bindings in your web app's custom domain configuration. If so, follow the steps above to replace the certificate and update the binding. |
| 137 | + |
| 138 | + - **Certificate used in application code** |
| 139 | + Certificates may be used in application code for tasks such as authentication. If your app uses the `WEBSITE_LOAD_CERTIFICATES` setting to load ASMCs, update your code to use the new certificate instead. |
| 140 | + |
| 141 | +7. **Delete ASMC resources** |
| 142 | + After confirming that your environment or services no longer depend on ASMC, delete the ASMCs associated with your site. |
| 143 | + Deleting ASMCs helps prevent accidental reuse, which could result in service downtime when the certificate fails to renew. |
| 144 | + |
| 145 | + - [REST API: Delete Certificate](/rest/api/appservice/certificates/delete) |
| 146 | + - [CLI: Delete certificate](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-delete) |
| 147 | + |
| 148 | + |
| 149 | +## Frequently asked questions (FAQ) |
| 150 | + |
| 151 | +**Why is public access now required?** |
| 152 | +Due to MPIC compliance, App Service is migrating to Http Token validation for all ASMC creation and renewal requests. DigiCert must verify domain ownership by reaching a specific endpoint on your app. A successful validation with Http token is only possible if the app is publicly accessible. |
| 153 | + |
| 154 | +**Can I still use CNAME records?** |
| 155 | +Yes, you can still use CNAME records for domain name system (DNS) routing and for verifying domain ownership. |
| 156 | + |
| 157 | +**What if I allowlist DigiCert IP addresses?** |
| 158 | +Allowlisting DigiCert’s domain validation IPs may work as a temporary workaround. However, Microsoft cannot guarantee that these IPs won’t change. DigiCert may update them without notice, and Microsoft does not maintain documentation for these IPs. Customers are responsible for monitoring and maintaining this configuration. |
| 159 | + |
| 160 | +**Are certificates for \*.azurewebsites.net impacted?** |
| 161 | +No, these changes do not apply to the *.azurewebsites.net certificates. ASMC is only issued to customer’s custom domain and not the default hostname. |
| 162 | + |
| 163 | + |
| 164 | +## Other resources |
| 165 | + |
| 166 | +- [Important Changes to App Service Managed Certificates – Tech Community Blog](https://techcommunity.microsoft.com/blog/appsonazureblog/important-changes-to-app-service-managed-certificates-is-your-certificate-affect/4435193) |
0 commit comments