![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Thank you for reaching out to Microsoft Q&A.
During the period from August 15, 2025 to March 15, 2026, Microsoft has temporarily suspended the creation of new Azure‑managed certificates for custom domains in Azure API Management due to an industry‑wide transition by the Certificate Authority (DigiCert) away from legacy CNAME‑based domain validation. However, this suspension does not block automatic renewal of existing managed certificates that were created before August 15, 2025. In many cases, customers observe that the certificate appears expired or very close to expiry in the Azure portal. This behavior is expected because Azure does not renew managed certificates on a fixed schedule (for example, 30 days before expiry). The renewal often occurs very close to the actual expiration date. If renewal does not happen, the most common cause is missing inbound network access required by DigiCert for domain validation during the renewal process.
Refer below points to resolve this issue / workaround
Ensure inbound access on port 80 is allowed
For Azure API Management to renew an existing managed certificate, inbound HTTP traffic on port 80 must be allowed so DigiCert can perform domain validation. If port 80 is blocked (for example, only HTTPS 443 is allowed), certificate renewal will fail. Check NSG, firewall, or gateway rules to confirm this access is permitted.
Do not delete or recreate the custom domain configuration
If the custom domain or its managed certificate is deleted and re‑added during the suspension window, Azure will treat it as a new certificate request, which will be blocked until March 15, 2026. Ensure the existing configuration remains unchanged so auto‑renewal stays supported.
Use a customer‑managed certificate as a temporary workaround if required
If renewal fails and service continuity is critical, you can configure the custom domain with a customer‑managed certificate (for example, from Azure Key Vault or a PFX file) during the suspension period. After March 15, 2026, you can switch back to an Azure‑managed certificate if desired.
and click on Yes for was this answer helpful. And, if you have any further query do let us know.