Share via

APIM Custom Domain certificate not refreshing automatically

Michal Pipal 25 Reputation points
2023-12-20T13:01:45.2+00:00

We are using API Management with a Custom Domain assigned to the Gateway endpoint. This Custom Domain uses a certificate. The certificate is stored in Key Vault and we are referencing it from the APIM Custom Domains section.

We have been using the infrastructure for a year already and now the time to refresh the certificate occurred. We've updated the certificate in the Key Vault and waited for some time, but for around 30 minutes, we have not seen any change. We are using the same certificate in the Certificates section of another APIM, and this was reloaded manually (Fetch key vault secret button) and started to work immediately.

In the case of Custom Domains, we had to make a random change there, and save it, which triggered the updating process, and after around 50 minutes, it propagated correctly. However, this is a very inconvenient way. Even though the API had no real downtime as stated in the docs, the clients (who refreshed the certificates immediately) were not able to call our APIM (getting certificate mismatch).

Is there some instant way to refresh the certificate immediately? Or at least in some reasonable and predictable time slot?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,457 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator
    2023-12-20T15:04:43.45+00:00

    Michal Pipal Thanks for posting your question in Microsoft Q&A. I assume you followed doc: Configure a custom domain name for your Azure API Management instance in setting custom domain for APIM gateway in reference to Azure Key Vault. Make sure you had set them to autorenew and inserted as a certificate (not secret) as described in the doc.

    If you had already set them, APIM will pick up the changes from Azure Key Vault in a few hours (except Developer tier) and apply it automatically. In case, the client calling APIM has certificate pinning by thumbprint, then it should be updated beforehand.

    Note: The current poll time to refresh changes from Key Vault is 4 hours (may change in future) and applying the certificate might take up to 20 mins. Refer Certificate options for this info:

    User's image

    For immediately refresh the certificate, you can update it manually via portal or PUT command using rest API.

    I hope this helps with your questions and let me know if you have any other.

    If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

    1 person found this answer helpful.
    0 comments
  2. Venkatraman Natarajan 0 Reputation points
    2025-05-20T17:06:46.3533333+00:00

    Hi Everyone,

    In Consumption plan APIM, the certificate is not refreshed even after 12 hours. We need to upload latest cert every year in keyvault then APIM should fetch automatically. It is happening in Premium tier APIM but not in consumption plan.

    Could you please help us on this?

    Thanks,

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.