Does Azure Front Door produce a new validation token prior to apex domain certificate expiry?

Question

Does Azure Front Door produce a new validation token prior to apex domain certificate expiry?

Elliot Stansfield 21

Does Azure generate a new validation token in advance of the certificate expiry for an apex domain and this new token (not the old one) can be retrieved from the ValidationPropertyValidationToken property of the Get-AzFrontDoorCdnCustomDomain powershell command?

I understand that for Apex domains its necessary to manually update the _dnsauth validation token within the domain registrar before a new certificate can be issued, as such we are looking at creating an automated script which fetches the new token from the aforementioned command and updates the DNS record in Azure DNS.

For this script to work, it assumes Azure generates a new token in advance of the expiry. Is this true? If so how far in advance?

Elliot Stansfield 21 Reputation points

2025-03-28T15:51:59.4133333+00:00

Hi @Praveen Bandaru thank you for your reply.

I'm trying to understand whether Azure automatically generates a new validation token before expiry or if it is necessary to manually regenerate it, from your reply I didn't get a clear understanding as to which it is.

If it does generate it automatically, how far in advance of the cert expiry does it do so?

If you could clarify this point it would be appreciated.

Thanks, Elliot
Praveen Bandaru 2,415 Reputation points Microsoft External Staff

2025-03-28T16:15:31.9066667+00:00
Hello Elliot Stansfield

For the Apex domain, you need to manually click the Regenerate button to regenerate the TXT token. After that, add the TXT token to the DNS provider settings at that time only domain validation will complete.

For Apex domains, it is not possible to add a CNAME record, which is why the certificate will not renew automatically.

For Apex domains, Azure managed certificates are not automatically rotated.

See: managed TLS certificates

Also see: AFD-managed TLS certificate rotation - How to rotate/renew

This is nothing but regenerating the TXT value and adding it to the DNS Zone

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Elliot Stansfield 21 Reputation points

2025-03-31T15:10:45.12+00:00

Hi @Praveen Bandaru , thanks, how far in advance of the certificate expiry will the option to regenerate the TXT token appear within Azure Front Door? We are 45 days out from expiry on one of our apex domains and the option is not yet present.
Praveen Bandaru 2,415 Reputation points Microsoft External Staff

2025-03-31T19:07:24.39+00:00

Hello Elliot Stansfield

If possible, could you share a screenshot of you renew apex domains and the validation part.

To understand better about your issue lets connect offline, please see private message for more details.
David Fournier 0 Reputation points

2025-04-17T19:00:36.7633333+00:00

I also have an apex domain for which the certificate is now within 45 days of expiry and I am not seeing any option to revalidate. Were you able to renew the certificate?

Accepted answer

0 additional answers

Your answer

Elliot Stansfield 21 Reputation points

2025-03-28T15:51:59.4133333+00:00

Hi @Praveen Bandaru thank you for your reply.

I'm trying to understand whether Azure automatically generates a new validation token before expiry or if it is necessary to manually regenerate it, from your reply I didn't get a clear understanding as to which it is.

If it does generate it automatically, how far in advance of the cert expiry does it do so?

If you could clarify this point it would be appreciated.

Thanks, Elliot
Praveen Bandaru 2,415 Reputation points Microsoft External Staff

2025-03-28T16:15:31.9066667+00:00

Hello Elliot Stansfield

For the Apex domain, you need to manually click the Regenerate button to regenerate the TXT token. After that, add the TXT token to the DNS provider settings at that time only domain validation will complete.

For Apex domains, it is not possible to add a CNAME record, which is why the certificate will not renew automatically.

For Apex domains, Azure managed certificates are not automatically rotated.

See: managed TLS certificates

Also see: AFD-managed TLS certificate rotation - How to rotate/renew

This is nothing but regenerating the TXT value and adding it to the DNS Zone

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Elliot Stansfield 21 Reputation points

2025-03-31T15:10:45.12+00:00

Hi @Praveen Bandaru , thanks, how far in advance of the certificate expiry will the option to regenerate the TXT token appear within Azure Front Door? We are 45 days out from expiry on one of our apex domains and the option is not yet present.
Praveen Bandaru 2,415 Reputation points Microsoft External Staff

2025-03-31T19:07:24.39+00:00

Hello Elliot Stansfield

If possible, could you share a screenshot of you renew apex domains and the validation part.

To understand better about your issue lets connect offline, please see private message for more details.
David Fournier 0 Reputation points

2025-04-17T19:00:36.7633333+00:00

I also have an apex domain for which the certificate is now within 45 days of expiry and I am not seeing any option to revalidate. Were you able to renew the certificate?

Answer 1

Hello Elliot Stansfield

Azure Front Door generates a new validation token for custom domains, including apex domains, when the current certificate is about to expire.

To validate a domain, you need to create a DNS TXT record. The name of the TXT record should be in the format _dnsauth.{subdomain}. Azure Front Door will provide a unique value for your TXT record when you begin adding the domain to Azure Front Door.
When using an Azure Front Door-managed certificate, Azure Front Door automatically attempts to renew the certificate. Before renewing, Azure Front Door verifies if the DNS CNAME record still points to the Azure Front Door endpoint.
However, for Apex domains, if there is no CNAME record pointing to an Azure Front Door endpoint, the autorotation for managed certificates will fail until domain ownership is revalidated.
Select the Pending revalidation link and then select the Regenerate button to regenerate the TXT token. After that, add the TXT token to the DNS provider settings.

Check the below documents for more understanding:

Apex domains in Azure Front Door

https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-onboard-apex-domain?pivots=front-door-standard-premium

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Does Azure Front Door produce a new validation token prior to apex domain certificate expiry?

0 additional answers

Your answer