You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/configure-ssl-app-service-certificate.md
+11-12Lines changed: 11 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -78,18 +78,18 @@ If you purchase an App Service certificate from Azure, Azure manages the followi
78
78
|**Purge protection**| Enabling this option forces all deleted objects to remain in soft-deleted state for the entire duration of the retention period. |
79
79
80
80
1. Select **Next** and then select **Vault access policy**. Currently, App Service certificates support only Key Vault access policies, not the RBAC model.
81
-
1. Select **Review + create**, then select **Create**.
82
-
1. After the key vault is created, don't select **Go to resource** but wait for the **Select key vault from Azure Key Vault page** to reload.
81
+
1. Select **Review + create**, and then select **Create**.
82
+
1. After the key vault is created, don't select **Go to resource**. Wait for the **Select key vault from Azure Key Vault** page to reload.
83
83
1. Select **Select**.
84
84
1. After you select the vault, close the **Key Vault Repository** page. The **Step 1: Store** option should show a green check mark to indicate success. Keep the page open for the next step.
85
85
86
86
#### Confirm domain ownership
87
87
88
-
1. From the same **Certificate Configuration** page in the previous section, select **Step 2: Verify**.
88
+
1. From the same **Certificate Configuration** page as in the previous section, select **Step 2: Verify**.
89
89
90
-
:::image type="content" source="media/configure-ssl-certificate/verify-domain.png" alt-text="Screenshot of 'Certificate Configuration' pane with 'Step 2: Verify' selected.":::
90
+
:::image type="content" source="media/configure-ssl-certificate/verify-domain.png" alt-text="Screenshot of the Certificate Configuration pane with 'Step 2: Verify' selected.":::
91
91
92
-
1. Select **App Service Verification**. However, because you previously mapped the domain to your web app per the [Prerequisites](#prerequisites), the domain is already verified. To finish this step, just select **Verify**, and then select **Refresh** until the message **Certificate is Domain Verified** appears.
92
+
1. Select **App Service Verification**. Because you previously mapped the domain to your web app per the [Prerequisites](#prerequisites), the domain is already verified. To finish this step, just select **Verify**, and then select **Refresh** until the message **Certificate is Domain Verified** appears.
93
93
94
94
The following domain verification methods are supported:
95
95
@@ -98,34 +98,33 @@ The following domain verification methods are supported:
98
98
|**App Service Verification**| The most convenient option when the domain is already mapped to an App Service app in the same subscription because the App Service app has already verified the domain ownership. Review the last step in [Confirm domain ownership](#confirm-domain-ownership). |
99
99
|**Domain Verification**| Confirm an [App Service domain that you purchased from Azure](manage-custom-dns-buy-domain.md). Azure automatically adds the verification TXT record for you and completes the process. |
100
100
|**Mail Verification**| Confirm the domain by sending an email to the domain administrator. Instructions are provided when you select the option. |
101
-
|**Manual Verification**| Confirm the domain by using either a DNS TXT record or an HTML page, which applies only to **Standard** certificates per the following note.The steps are provided after you select the option. The HTML page option doesn't work for web apps with "HTTPS Only' enabled. For domain verification via DNS TXT record for either root domain (ie. "contoso.com") or subdomain (ie. "www.contoso.com", "test.api.contoso.com") and regardless of certificate SKU, you need to add a TXT record at the root domain level using '@' for the name and the domain verification token for the value in your DNS record. |
101
+
|**Manual Verification**| Confirm the domain by using either a DNS TXT record or an HTML page, which applies only to Standard certificates. (See the following note.) The steps are provided after you select the option. The HTML page option doesn't work for web apps with **HTTPS Only** enabled. For domain verification via DNS TXT record for either the root domain (for example, `contoso.com`) or the subdomain (for example, `www.contoso.com` or `test.api.contoso.com`) and regardless of the certificate SKU, you need to add a TXT record at the root domain level, using `@` for the name and the domain verification token for the value in your DNS record. |
102
102
103
103
> [!IMPORTANT]
104
-
> With the **Standard** certificate, you get a certificate for the requested top-level domain *and* the `www` subdomain, for example, `contoso.com` and `www.contoso.com`. However, **App Service Verification** and **Manual Verification** both use HTML page verification, which doesn't support the `www` subdomain when issuing, rekeying, or renewing a certificate. For the **Standard** certificate, use **Domain Verification** and **Mail Verification** to include the `www` subdomain with the requested top-level domain in the certificate.
104
+
> With the Standard certificate, you get a certificate for the requested top-level domain *and* the `www` subdomain, for example, `contoso.com` and `www.contoso.com`. However, App Service Verification and Manual Verification both use HTML page verification, which doesn't support the `www` subdomain when you issue, rekey, or renew a certificate. For the Standard certificate, use Domain Verification and Mail Verification to include the `www` subdomain with the requested top-level domain in the certificate.
105
105
106
106
Once your certificate is domain-verified, [you're ready to import it into an App Service app](configure-ssl-certificate.md#import-an-app-service-certificate).
107
107
108
108
## Renew an App Service certificate
109
109
110
-
By default, App Service certificates have a one-year validity period. Before and nearer to the expiration date, you can automatically or manually renew App Service certificates in one-year increments. The renewal process effectively gives you a new App Service certificate with the expiration date extended to one year from the existing certificate's expiration date.
110
+
By default, App Service certificates have a one-year validity period. Before the expiration date, you can automatically or manually renew App Service certificates in one-year increments. The renewal process effectively gives you a new App Service certificate with the expiration date extended to one year from the existing certificate's expiration date.
111
111
112
112
> [!NOTE]
113
113
> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew or rekey process. The new certificate order remains in "pending issuance" mode during the renew or rekey process until you complete the domain verification.
114
114
>
115
-
> Unlike the free App Service managed certificate, domain re-verification for App Service certificates *isn't*automated. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review [Confirm domain ownership](#confirm-domain-ownership).
115
+
> Unlike the free App Service managed certificate, App Service certificates don't have automated domain re-verification. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review [Confirm domain ownership](#confirm-domain-ownership).
116
116
>
117
117
> The renewal process requires that the well-known [service principal for App Service has the required permissions on your key vault](deploy-resource-manager-template.md#deploy-web-app-certificate-from-key-vault). These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.
118
118
119
119
1. To change the automatic renewal setting for your App Service certificate at any time, on the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate.
120
120
121
121
1. On the left menu, select **Auto Renew Settings**.
122
122
123
-
1. Select **On** or **Off**, and select **Save**.
123
+
1. Select **On** or **Off**, and then select **Save**.
124
124
125
125
If you turn on automatic renewal, certificates can start automatically renewing 32 days before expiration.
126
126
127
-
> [!div class="mx-imgBorder"]
128
-
> 
127
+
:::image type="content" source="./media/configure-ssl-certificate/auto-renew-app-service-cert.png" alt-text="Screenshot of specified certificate's auto renewal settings." lightbox="./media/configure-ssl-certificate/auto-renew-app-service-cert.png" :::
129
128
130
129
1. To manually renew the certificate instead, select **Manual Renew**. You can request to manually renew your certificate 60 days before expiration, but [the maximum expiration date will be 397 days](https://www.godaddy.com/help/important-notification-about-ssl-offerings-9322).
0 commit comments