Share via

NPE CA Not Exist on Azure App Service

Albert Cao 0 Reputation points Microsoft Employee
2025-01-07T08:05:19.5266667+00:00

We are from M365 of Microsoft and we are under the security force to change our certificates' Issuer to Issuer from non-production environment (NPE) instead of AMEROOT. However, we found that ameroot CA are automatically installed on the azure app service machine and NPE root ca does not exist. As a result, all our certificates are invalid due to lack of root CA and intermediate CA.

Existing root ca on the machine:

PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\Root

Thumbprint Subject

FC3FB3BACE607B5C019C3A3E439AD16088AD78BE CN=ameroot, DC=AME, DC=GBL

DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 CN=DigiCert Global Root G2, OU=www...

D4DE20D05E66FC53FE1A50882C78DB2852CAE474 CN=Baltimore CyberTrust Root, OU=C...

D17697CC206ED26E1A51F5BB96E9356D6D610B74 CN=Microsoft Internal Corporate Root

CDD4EEAE6000AC7F40C3802C171E30148030C072 CN=Microsoft Root Certificate Auth...

CABD2A79A1076A31F21D253635CB039D4329A5E8 CN=ISRG Root X1, O=Internet Securi...

CAB20A7F63F00F2BAE762025DFE36DB3A03A9CB9 CN=SAS-CP1SASCA01-CA, DC=SAS, DC=M...

BE36A4562FB2EE05DBB3D32323ADF445084ED656 CN=Thawte Timestamping CA, OU=Thaw...

AD34FF084A8E0ACB42D83365A3F2EB686BC191C4 CN=Microsoft Assurance Designation...

A8377BE68887C23CAFBFAE87544546BB17C612E4 CN=Microsoft RSA Services Root CA ...

A43489159A520F0D93D032CCAF37E7FE20A8B419 CN=Microsoft Root Authority, OU=Mi...

9DFA93169618BF166E6483A219E6ADB31BFF8511 CN=SAW HRE CA, OU=SAW, O=SAS

999A64C37FF47D9FAB95F14769891460EEC4C3C5 CN=Microsoft ECC Root Certificate ...

92B46C76E13054E104F230517E6E504D43AB10B5 CN=Symantec Enterprise Mobile Root...

8F43288AD272F3103B6FB1428485EA3014C0BCFE CN=Microsoft Root Certificate Auth...

8CF427FD790C3AD166068DE81E57EFBB932272D4 CN=Entrust Root Certification Auth...

7F88CD7223F3C813818C994614A89C99FA3B5247 CN=Microsoft Authenticode(tm) Root...

7E04DE896A3E666D00E687D33FFAD93BE83D349E CN=DigiCert Global Root G3, OU=www...

73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 CN=Microsoft RSA Root Certificate ...

6F6ED21B8F9C3B27DD6D34221F53E177C81DDAC1 CN=Microsoft Services Partner Root...

413E8AAC6049924B178BA636CBAF3963CCB963CD CN=ameroot, DC=AME, DC=GBL

3B1EFD3A66EA28B16697394703A72CA340A05BD5 CN=Microsoft Root Certificate Auth...

31F9FC8BA3805986B721EA7295C65B3A44534274 CN=Microsoft ECC TS Root Certifica...

2BD63D28D7BCD0E251195AEB519243C13142EBC3 CN=Microsoft Test Root Authority, ...

245C97DF7514E7CF2DF8BE72AE957B9E04741E85 OU=Copyright (c) 1997 Microsoft Co...

18F7C1FCC3090203FD5BAA2F861A754976C8DD25 OU="NO LIABILITY ACCEPTED, (c)97 V...

06F1AA330B927B753A40E68CDF22E34BCBEF3352 CN=Microsoft ECC Product Root Cert...

0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 CN=Microsoft Time Stamp Root Certi...

E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 CN=UTN-USERFirst-Object, OU=http:/...

B1BC968BD4F49D622AA89A81F2150152A41D829C CN=GlobalSign Root CA, OU=Root CA,...

A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 CN=DigiCert Global Root CA, OU=www...

743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A CN=SSL.com EV Root Certification A...

742C3192E607E424EB4549542BE1BBC53E6174E2 OU=Class 3 Public Primary Certific...

3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F CN=StartCom Certification Authorit...

0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 CN=DigiCert Assured ID Root CA, OU...

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,965 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Zafer KAYA 90 Reputation points MVP
    2025-01-07T11:23:41.5633333+00:00

    From your description, the core problem is:

    1. You need to switch certificates from AMEROOT to NPE (non-production environment) issuer
    2. NPE root CA and intermediate CA are missing on Azure App Service machines
    3. This is causing certificate validation failures

    Here's a few potential approaches to resolve this:

    1. Install Custom Certificates on Azure App Service:From your description, the core problem is:
      1. You need to switch certificates from AMEROOT to NPE (non-production environment) issuer
      2. NPE root CA and intermediate CA are missing on Azure App Service machines
      3. This is causing certificate validation failures
      Here's a few potential approaches to resolve this:
      1. Install Custom Certificates on Azure App Service:

    You can install custom certificates using the Azure Portal or Azure CLI

    az webapp config ssl create --resource-group <group-name> --name <app-name> --certificate-file <cert-file> --certificate-password <password>

    Use Application Settings to Trust Custom Certificates:

    <!-- In web.config -->

    <configuration>

    <system.net>

    <settings>

  <servicePointManager checkCertificateRevocationList="true" />

</settings>

    </system.net>

    </configuration>

    Custom Script Extension: You could create a startup script that installs the required certificates:

    Install certificates during app startup

    $certPath = "path_to_your_cert.cer"

    Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\Root

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.