Clarification on Potential Revocation Risk for App Service Managed Certificate

Question

Hello Azure Support,

We have received a notification from Azure stating that one of our App Services requires action due to a “Potential revocation risk for your App Service Managed Certificate.”

However, after checking our environment, we ran the following command to list all certificates in our subscription:

"Get-AzWebAppCertificate | Format-Table Thumbprint, FriendlyName, ExpirationDate, SubjectName, Issuer"

Our findings show that all our certificates are issued by GeoTrust Global TLS RSA4096 SHA256 2022 CA1 and none are listed as App Service Managed Certificates. For example:

Thumbprint ExpirationDate SubjectName Issuer

422C269FDBB6D3CF803261A218951823CB56D4F1 2/23/2026 11:59:59 PM abcd.alicorn.co GeoTrust Global TLS RSA4096 SHA256 2022 CA1

...

Based on this, we believe we are not using any App Service Managed Certificates.

Could you please clarify:

1. Why we received this notification?
2. Is there any hidden or automatically provisioned certificate associated with our App Services that we might be missing?
3. Do we need to take any action to avoid service disruption?

We want to ensure there is no risk to our applications due to certificate revocation.

Thank You,

Azeem Ahmad

Answer 1

Hello @ALICORN Developer ,

Thank you for submitting your question on Microsoft Q&A.

The notification from Azure was sent to all App Services customers concerning the upcoming changes regarding the App Service Managed Certificates (ASMCs), expected to take place on the 28th of July, 2025. Such changes arise from the new validation rules (Multi-Perspective Issuance Corroboration) on ASMCs, which are free and Azure-managed certificates provided by DigiCert for issuance. The notice does not mean that your applications will be directly affected by the change.

Your Current Setup:

After using the Get-AzWebAppCertificate command in your investigation, it is found that the whole certificates are custom certificates, which were issued from GeoTrust Global TLS RSA4096 SHA256 2022 CA1 and have the values below:

• Thumbprint: 42XXXXXXXXXXXXXXXXXXx

• Expiration Date: 02/23/2026

• Subject Name: abcd.alicorn.co

• Issuer: GeoTrust Global XXXXXXXXXXX

Thus, App Services that use an ASMC are not to be affected by the revocation risk highlighted in the threat.

Are There Hidden or Automatically Provisioned Certificates?

These are the only certificates that exist in your App Services; none are stored by ASMCs. The certificates listed under the TLS/SSL bindings (GeoTrust certificates) are the only ones being used. But verification can be performed because:

• Azure might sometimes provision ASMCs under a custom domain added, but these would show in Azure portal under App Service > Custom domains or TLS/SSL settings as "Secured" without a custom certificate.

• Default *.azurewebsites.net domains use Azure's wildcard certificates which are not ASMCs and, therefore, unaffected by this change.

• In case you are using Azure Traffic Manager via *.trafficmanager.net domain, then it probably uses an ASMC, but your audit says that there is no such configuration.

To be extra sure, you can:

• Verify if there are any ASMC bindings in the Azure portal under Custom domains and TLS/SSL settings.

• Use this PowerShell command to ensure SSL bindings:

Get-AzWebApp | Select-Object Name, HostNames, SslBindings

• Search for hidden "cert" resources in your resource group by enabling show hidden items in the Azure portal.

No action is needed 

Nothing needs to be done at the moment. Your App Services are on valid GeoTrust certificates that are correctly bound and these determined changes should not affect them. To ensure that your apps keep functioning smoothly:

-Certificate expirations to monitor: Your GeoTrust certificates will expire on 2/23/2026. Replacing or renewing them sometime before then will avoid downtime. Alerts for expirations can be created through Azure Advisor by setting them up.

Review DNS Settings: Make sure you're using a CNAME record for your custom domain (e.g., abcd.alicorn.co) that points to <app-name>.azurewebsites.net. When using a third-party DNS provider (for example, Cloudflare), be sure that the CNAME isn't proxied.

Test HTTPS: Try visiting abcd.alicorn.co in the browser and see if the GeoTrust certificate is working properly and HTTPS is behaving accordingly.

Traffic Manager: verify if you are using Azure Traffic Manager, and if so, ensure it uses only "Azure Endpoints" and not *.trafficmanager.net domains, for these might be reliant upon ASMCs. 

Conclusion

Your applications are now free of ASMC revocation risk as you are using GeoTrust custom certificates. Thus, no action is immediately required. However, it is prudent to keep an eye on your certificates and have such set up as discussed above. In case you need additional clarification or assistance, please let us know!

 Reference link

App Service Managed Certificate (ASMC) Changes – July 28, 2025 - Azure App Service | Microsoft Learn

 

Answer 2

Hi Azeem,

Of the the sites you posted in your screenshot that are functional, most are using App Service Managed Certificates, however, they are not issued by the DigiCert Global CA G2 Intermediate certificate that is scheduled to be revoked in 2026.

You can see for yourself they using App Service Managed certificate by browsing to the web app, on left click Settings -- Certificates, notice if managed certificate is shown and make note of its Certificate Name, next click on Custom domains and check if Certificate used column has matching name.

There were two (the apex and www) on the list that are not currently hosted on Azure, at least the first reachable layer isn't.

From the information provided it appears you are not at risk to have certificates revoked for those using App Service Managed certificates.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP