You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/app-service-managed-certificate-changes-july-2025.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,21 +31,22 @@ For a detailed explanation of the underlying changes at DigiCert, refer to [chan
31
31
32
32
You can't create or renew ASMCs if your:
33
33
1. Site is not publicly accessible.
34
-
- Public accessibility to your app is required. If your app is only accessible privately (for example, requiring a client certificate for access, disabling public network access, using private endpoints or IP restrictions), you will not be able to create or renew a managed certificate.
35
-
- Other site configurations or setup methods not explicitly listed here that restrict public access, such as firewalls, authentication gateways, or any custom access policies, can also impact eligibility for managed certificate issuance or renewal.
34
+
- Public accessibility to your app is required. If your app is only accessible through private configurations, such as requiring a client certificate, disabling public network access, using private endpoints, or applying IP restrictions, you can't create or renew a managed certificate.
35
+
- Other configurations that restrict public access, such as firewalls, authentication gateways, or custom access policies, may also affect eligibility for managed certificate issuance or renewal.
36
+
36
37
1. Site is an Azure Traffic Manager "nested" or "external" endpoint:
37
-
- Only "Azure Endpoints" on Traffic Manager will be supported for certificate creation and renewal.
38
-
- "Nested endpoints" and "External endpoints" will not be supported.
38
+
- Only "Azure Endpoints" on Traffic Manager is supported for certificate creation and renewal.
39
+
- "Nested endpoints" and "External endpoints" is not supported.
39
40
1. Site relies on _*.trafficmanager.net_ domains.
40
-
- Certificates for _*.trafficmanager.net_ domains will not be supported for creation or renewal.
41
+
- Certificates for _*.trafficmanager.net_ domains is not supported for creation or renewal.
41
42
42
43
Existing certificates remain valid until expiration (up to six months), but will not renew automatically if your configuration is unsupported.
43
44
44
45
## Identify impacted resources
45
-
You can use [Azure Resource Graph (ARG)](https://portal.azure.com/?feature.customPortal=false#view/HubsExtension/ArgQueryBlade) queries to help identify resources that may be affected under each scenario. Note that these queries are provided as a starting point and may not capture every configuration. Review your environment for any unique setups or custom configurations.
46
+
You can use [Azure Resource Graph (ARG)](https://portal.azure.com/?feature.customPortal=false#view/HubsExtension/ArgQueryBlade) queries to help identify resources that may be affected under each scenario. These queries are provided as a starting point and may not capture every configuration. Review your environment for any unique setups or custom configurations.
46
47
47
48
### Scenario 1: Site is not publicly accessible
48
-
This ARG query retrieves a list of sites that either have the public network access property disabled or are configured to use client certificates. It then filters for sites that are using App Service Managed Certificates (ASMC) for their custom hostname SSL bindings. These certificates are the ones that could be affected by the upcoming changes. However, note that this query does not provide complete coverage, as there may be other configurations impacting public access to your app that are not included here. Ultimately, this query serves as a helpful guide for users, but a thorough review of your environment is recommended. You can copy this query, paste it into [ARG Explorer](https://portal.azure.com/?feature.customPortal=false#view/HubsExtension/ArgQueryBlade), and then click "Run query" to view the results for your environment.
49
+
This ARG query retrieves a list of sites that either have the public network access property disabled or are configured to use client certificates. It then filters for sites that are using App Service Managed Certificates (ASMC) for their custom hostname SSL bindings. These certificates are the ones that could be affected by the upcoming changes. However, this query does not provide complete coverage, as there may be other configurations impacting public access to your app that are not included here. Ultimately, this query serves as a helpful guide for users, but a thorough review of your environment is recommended. You can copy this query, paste it into [ARG Explorer](https://portal.azure.com/?feature.customPortal=false#view/HubsExtension/ArgQueryBlade), and then click "Run query" to view the results for your environment.
49
50
50
51
```kql
51
52
// ARG Query: Identify App Service sites that commonly restrict public access and use ASMC for custom hostname SSL bindings
0 commit comments