![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 60%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Hi @Enyu Wang,
Thank you for reaching out on Microsoft Q&A forum.
As mentioned by the user, the root cause was identified as a limitation in Azure Front Door Control Plane (AFD CP). For keyless customers whose profiles were migrated from 1P to 3P AFD, only 100 custom domains can reference the same SHA-1 certificate thumbprint.
Once this limit is reached, BYOC updates fail for additional domains, which explains the error encountered.
Resolution / Workaround: As suggested by the user, the fix is to create a duplicate copy of the certificate/secret in Key Vault and use the duplicated secret for the new domains. The user is coordinating with the security team to implement this.
This workaround successfully bypasses the thumbprint reference limitation.