Merge pull request #294241 from yutanglin16/patch-10

Add warning about domain ownership verification for ASC rekey

Author: prmerger-automator[bot]

articles/app-service/configure-ssl-app-service-certificate.md

@@ -139,6 +139,13 @@ By default, App Service certificates have a one-year validity period. Before the
 
 If you think your certificate's private key is compromised, you can rekey your certificate. This action rotates the certificate with a new certificate issued from the certificate authority.
 
+> [!NOTE]
+> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew, auto-renew, or rekey process. The new certificate order remains in "pending issuance" mode during the renew, auto-renew, or rekey process until you complete the domain verification.
+> 
+> Unlike the free App Service managed certificate, purchased App Service certificates don't have automated domain re-verification. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review [Confirm domain ownership](#confirm-domain-ownership).
+>
+> The rekey process requires that the service principal for App Service has the required permissions on your key vault. These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.
+
 1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate. From the left menu, select **Rekey and Sync**.
 
 1. To start the process, select **Rekey**. This process can take 1-10 minutes to complete.