App Services Certificates issue with apple not compliant with Apple's Certificate Transparency policy

Question

App Services Certificates issue with apple not compliant with Apple's Certificate Transparency policy

Somiya 246

Hi Team,
I am using App services certificates for my websites running on app services, I issued a certificate on "Saturday, April 24, 2021, 1:41:34 AM GMT+9" but now this certificate is not compliant with Apple certificate Transparency policy as macOS 11.4 and iOS 14.6 impose some new requirements on publicly-trusted SSL certificates which were issued on or after April 21 2021 .

Even though my certificate expires in next year but it shows the certificate is invalid. Is there a way I can reissue the certificate or resolve this issue

Here is the link to the article: https://sslmate.com/blog/post/apples_new_ct_policy

1 answer

Your answer

Answer 1

ajkuma 28,036 Microsoft Employee Moderator

@Somiya , As mentioned in this GoDaddy blog -To resolve this, rekey your certificate, download the new rekeyed certificate and install it.

On Azure Portal, 'rekey' App Service Certificate (ASC).
Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

Steps:
On Azure Portal, navigate to your ASC, and select ‘Rekey and Sync’ (from the navigation blade) and then select 'Rekey'

Once the rekey operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

As a side note, in case you’d performed rekeying your certificate, it will roll the certificate with a new certificate issued from the certificate authority.
While Rekeying your certificate will go through Pending Issuance state and once the certificate is ready you need to then make sure you perform ‘sync’ your resources using this certificate to prevent disruption to service. Kindly check this doc for more details.

rekey-certificate

Kindly let us know how it goes, I'll follow-up with you further.

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-10-12T09:52:35.047+00:00

@Somiya , Adding more info:

-On side note- Yes, App Service Certificates purchased from Azure are issued by GoDaddy. For some domains, you must explicitly allow GoDaddy as a certificate issuer by creating a CAA domain record with the value: 0 issue godaddy.com

-You can also manually install the certificate, please see this GoDaddy doc for the steps.

Manually install an SSL certificate on my Microsoft Azure Web App

-During the re-key process, you may have to verify your certificate request. You may get an email from us if this is necessary. (As mentioned on the GoDaddy doc above)
Somiya 246 Reputation points

2021-10-12T23:39:09.903+00:00

Hi @Anonymous I just want to confirm that will it cost money again to rekey ?? and also I have to follow these steps
On Azure Portal, navigate to your ASC, and select ‘Rekey and Sync’ (from the navigation blade) and then select 'Rekey'

Once the rekey operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-10-13T18:33:31.493+00:00

@Somiya , yes, rekey would be a mitigation for this issue and it will not incur cost.

Yes, those steps are correct and the steps are also highlighted in the Azure doc rekey-certificate

(Apologies! I fixed this doc URL in my previous post, there was an extra dash -)

If you still have questions/or the issue persists,
When you say, "Even though my certificate expires in next year, but it shows the certificate is invalid. Is there a way I can reissue the certificate or resolve this issue"
Do you mean -Invalid being not compliant with macOS? Or you're unable to rekey the certificate? or just that you get "The connection is not private" warning while access the site on macOS?

Thanks for your co-operation!
Somiya 246 Reputation points

2021-10-14T00:02:53.39+00:00

Hi @Anonymous the certificate not being compliant with macOS I meant I am getting an error of "The connection is not private" warning while access the site on macOS"
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-10-14T19:16:13.537+00:00

@Somiya , Thanks for the confirmation.

To mitigate the issue, try and rekey, it should not incur any cost. Let us know how it goes. Thanks for the follow-up.

Share via

App Services Certificates issue with apple not compliant with Apple's Certificate Transparency policy

1 answer

Your answer