Share via

Azure API Management Service dropped managed cert for custom domain

Nick Miller 20 Reputation points
2026-03-30T02:33:24.9733333+00:00

Last week this service suddenly stopped serving the managed cert for my custom domain and started serving a cert for .azurewebsites.net. Caused a production outage.
An error message in the Portal pointed here: https://learn.microsoft.com/en-us/azure/api-management/breaking-changes/managed-certificates-suspension-august-2025
However, I don't have any IP filter or NSG settings that would cause the issue according to that article.

I have generated my own certs and uploaded. However, they will not automatically refresh.
What is a long term fix to get managed certs working with custom domain?

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

Answer accepted by question author
  1. Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator
    2026-03-30T02:43:42.2466667+00:00

    Hi @Nick Miller Thank you for reaching out to Microsoft Q&A.

    This is a known issue, The backend team is currently working on some changes and they are yet to announce the revised dates, The Revised dates for managed certificate will be updated in the Document once the changes are completed.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-30T02:33:46.55+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The long-term fix is to ensure the environment meets the new requirements so that Azure-managed certificates can be renewed and, outside the suspension window, created again for custom domains.

    Key points and actions:

    1. Understand the suspension window
      • Creation of new managed certificates for custom domains in API Management is suspended from August 15, 2025 to March 15, 2026.
      • During this period, new managed certs cannot be created, but existing managed certs are renewed if the new connectivity and DNS requirements are met.
      • Outside this window, managed cert creation works as before, subject to the new DigiCert validation requirements.
    2. Ensure existing managed certificates can renew
      For existing managed certificates to continue working and auto‑renewing, the following must be in place:
      • Allow inbound traffic from DigiCert IPs on port 80 starting January 2026:
        • If there are any inbound restrictions (NSG, firewall, IP filter policies, etc.), they must allow inbound traffic on port 80 from the specific DigiCert IP addresses.
        • This is required for certificate renewal and CRL checks.
      • Remove or adjust IP filter policies in API Management if used:
        • In the API Management instance, under APIs → [API] or All APIs → Design → Inbound processing, open the policy code editor and either:
          • Remove restrictive ip-filter policies, or
          • Add the DigiCert IP ranges to the allow list.
      • Modify NSG rules (external VNet) if the instance is in a VNet in external mode:
        • In Network security groups → [APIM subnet NSG] → Inbound security rules, either:
          • Delete restrictive rules, or
          • Edit them so Source = IP Addresses and add DigiCert IP addresses on port 80.
      • Modify NSG and Azure Firewall rules (internal VNet) if the instance is in internal mode behind Application Gateway / Front Door / Traffic Manager:
        • Ensure the architecture is: Front Door / Traffic Manager → Application Gateway → API Management (internal VNet).
        • In the NSG for the APIM subnet, allow DigiCert IP addresses on port 80 as above.
        • If Azure Firewall is used, update its Network rules to allow DigiCert IPs on port 80 to APIM.
    3. Ensure DNS is correctly configured for the custom domain
      • For Developer/Basic/Standard/Premium tiers:
        • Configure a CNAME or A record pointing the custom domain to the APIM gateway.
        • Add DigiCert as an authorized CA via a CAA record in the DNS zone.
      • For Consumption tier:
        • Configure a CNAME or TXT record (TXT takes precedence if both exist).
        • Also add a CAA record authorizing DigiCert.
    4. Respect limitations and interactions with other managed certs
      • Managed certificates in APIM:
        • Are preview, gateway‑only, not supported in v2 tiers, and only for public FQDNs (no bare apex).
      • If a free managed certificate is configured on Azure Front Door for the same domain (for example, api.contoso.com), the free managed certificate feature in APIM cannot be used for that domain. In that case, the long‑term solution is to bring your own certificate and upload it to APIM for that custom domain.
    5. During the suspension period (Aug 15, 2025 – Mar 15, 2026)
      • New managed certificates cannot be created.
      • Long‑term continuity during this window requires:
        • Using self‑managed certificates (as already done) for any new or reconfigured custom domains.
        • Ensuring existing managed certificates can still auto‑renew by meeting the port 80 + DigiCert IP + DNS requirements above.
    6. After March 15, 2026
      • Once the migration to the new DigiCert validation platform is complete, the capability to create managed certificates resumes.
      • At that point, for a long‑term managed‑cert solution:
        • Keep the DigiCert IP and port 80 access in place.
        • Keep DNS (CNAME/A/TXT + CAA) correctly configured.
        • Avoid conflicting managed certs on the same hostname in other services (for example, Front Door).

    In summary, the long‑term fix is not a one‑time change but ensuring the environment permanently satisfies:

    • Inbound port 80 access from DigiCert IPs to APIM,
    • Correct DNS (including CAA for DigiCert), and
    • No conflicting managed‑cert usage on the same hostname in other Azure services.

    With these in place, existing managed certificates will continue to auto‑renew, and new managed certificates can be created again outside the August 2025–March 2026 suspension window.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.