I've replaced the certificate on some app proxy apps, but the site is still loading the msappproxy cert

Question

I've replaced the certificate on some app proxy apps, but the site is still loading the msappproxy cert

Matt Chapman 0

Hi

I've created some enterprise apps and configured them for app proxy.

I also have a wildcard cert for my domain, and have uploaded this cert to the apps

User's image

But, when I go to the site, I get a certificate error and looking at the cert, it's the default *.msappproxy.net one

User's image

I've done this before with no problems, but have replaced the cert as it had expired.

Can anyone help me figure out why the uploaded cert hasn't taken?

Thanks

Matt

Navya 19,875 Reputation points Microsoft External Staff Moderator

2025-01-23T12:30:02.0966667+00:00
Hi @Matt Chapman

Thank you for posting this in Microsoft Q&A.

I understand that you have replaced the certificate on some App Proxy apps, but the site is still loading the msappproxy certificate. Based on the information you provided, I gather that you are using a wildcard certificate. To resolve the issue, could you please check the following:

Can you confirm that the wildcard matches the external URL?

Are you using the wildcard certificate for subdomains? If you're using the same certificate to secure a subdomain not covered by the wildcard, you'll need to add that subdomain as a Subject Alternative Name (SAN) in the certificate.

Could you please share a screenshot of the certificate error to help us better understand the issue?"

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.
Matt Chapman 0 Reputation points

2025-01-24T11:17:26.25+00:00
Hi Navya

Thanks for the response.

Yes, the wildcard cert is on use on my website and is signed by comodo.

I've used the previous version of the cert (I renewed it in December) and everything was fine and surely the point of a wildcard certificate is that you don't need to add the subdomains, hence the *.domain.com....

I added the issue to my question. You can see that the app proxy has a certificate ending in "k.uk" (sorry, I would prefer not to add my actual domain here) and when going to the site, the certificate (in the second screenshot) being used is the msapproxy.net.

Matt
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-02-06T20:21:22.22+00:00

Hi @Matt Chapman , so sorry for the delay in response. I'm reviewing this case now. Are you still having the issue?
Matt Chapman 0 Reputation points

2025-02-07T15:24:49.8966667+00:00

Hi James,

I am still having the issue yes.
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-02-07T22:39:31.25+00:00

Hi @Matt Chapman , I sent you a private message

1 answer

Your answer

Navya 19,875 Reputation points Microsoft External Staff Moderator

2025-01-23T12:30:02.0966667+00:00

Hi @Matt Chapman

Thank you for posting this in Microsoft Q&A.

I understand that you have replaced the certificate on some App Proxy apps, but the site is still loading the msappproxy certificate. Based on the information you provided, I gather that you are using a wildcard certificate. To resolve the issue, could you please check the following:

Can you confirm that the wildcard matches the external URL?

Are you using the wildcard certificate for subdomains? If you're using the same certificate to secure a subdomain not covered by the wildcard, you'll need to add that subdomain as a Subject Alternative Name (SAN) in the certificate.

Could you please share a screenshot of the certificate error to help us better understand the issue?"

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.
Matt Chapman 0 Reputation points

2025-01-24T11:17:26.25+00:00

Hi Navya

Thanks for the response.

Yes, the wildcard cert is on use on my website and is signed by comodo.

I've used the previous version of the cert (I renewed it in December) and everything was fine and surely the point of a wildcard certificate is that you don't need to add the subdomains, hence the *.domain.com....

I added the issue to my question. You can see that the app proxy has a certificate ending in "k.uk" (sorry, I would prefer not to add my actual domain here) and when going to the site, the certificate (in the second screenshot) being used is the msapproxy.net.

Matt
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-02-06T20:21:22.22+00:00

Hi @Matt Chapman , so sorry for the delay in response. I'm reviewing this case now. Are you still having the issue?
Matt Chapman 0 Reputation points

2025-02-07T15:24:49.8966667+00:00

Hi James,

I am still having the issue yes.
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-02-07T22:39:31.25+00:00

Hi @Matt Chapman , I sent you a private message

Answer 1

@James Hamil Thank you for the case. This is now resolved.

The issue boiled down to a change I made to the name of my Azure domain back in December to update my sharepoint URL. This included adding a new "onmicrosoft" domain.

When adding the app proxy to applications in Entra, the blue banner at the bottom informs to add the CNAME pointing to the new domain (i.e. ilo-newdomain.msappproxy.net), but the CNAME needs to still point to the original domain.

Once we changed this, the certificates were identified correctly and the apps loaded correctly.

Share via

I've replaced the certificate on some app proxy apps, but the site is still loading the msappproxy cert

1 answer

Your answer