Will Bindings update upon certificate expiry?

ozbobwa 21 Reputation points
2021-08-16T03:41:51.747+00:00

When an App Service SSL certificate expires, and another Healthy certificate is already installed, why don't the Bindings automatically update to the new certificate for each Host name?

Query raised to Docs team to include guidance: https://github.com/MicrosoftDocs/azure-docs/issues/79733

on the Documentation https://learn.microsoft.com/en-gb/azure/app-service/configure-ssl-bindings

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,022 questions
{count} votes

2 answers

Sort by: Most helpful
  1. ozbobwa 21 Reputation points
    2021-08-18T07:04:07.58+00:00

    Bindings will not automatically update for any hosts when the certificate has been manually loaded in to an App Service Private PFX Certificates.

    Azure Key Vault and App Service Certificates support wildcard domains now, so that is an option for next certificate renewal.

    1 person found this answer helpful.

  2. SnehaAgrawal-MSFT 18,786 Reputation points
    2021-08-16T11:03:16.847+00:00

    Thanks for asking question! If I have understood right, you have purchased certificate from Azure Services,

    123549-app-service-certificate-microsoft-azure.png

    And have imported certificate to your Azure Key vault via certificate configuration.

    If you have turn on automatic renewal of your certificate by selecting the certificate in the App Service Certificates page, then click Auto Renew Settings in the left navigation.

    123488-democertificate-microsoft-azure.png

    Select On and click Save.
    Certificates can start automatically renewing 60 days before expiration if you have the automatic renewal turned on.
    Renew App Service certificate automatically. Once the renew operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

    Additional information: As mentioned in this blog

    Q. My SSL certificate is not being auto-renewed ?

    Ans: All App Service certificates issued prior to March 31st 2017 will receive an email to re-verify their domain at the time of renewal even if the auto-renewal is enabled for your certificate.This is a result of change in GoDaddy policy. Please check your email and complete this one-time domain verification to continue to auto-renew the SSL certificate. Also , note that GoDaddy does require you to verify your domain once every three years and you will receive a email once every three years to verify your domain.

    Hope this helps. Let us know if further query or issue remains.