![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 35%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi @ Mahto, Ashok (-a)
Welcome to Microsoft Q&A Platform.
When configuring end-to-end TLS (HTTPS from client to Application Gateway and HTTPS from Application Gateway to backend), Azure Application Gateway requires separate certificates for the frontend and backend.
Application Gateway (Frontend) Certificate:
- Must be provided in PFX format
- Must include the private key
If the PFX is missing the private key or is invalid, frontend HTTPS listeners will fail.
Backend Server Certificate:
- Application Gateway does not automatically trust backend certificates
- The backend certificate private key remains on the backend server
- Application Gateway requires the public certificate of the issuing CA (Root or Intermediate)
Make sure to follow the below steps to configure the certificate.
- Export the Root CA or Intermediate CA that issued the backend server certificate
- Upload it to Application Gateway as a Trusted Root Certificate
- Do not upload a PFX or leaf certificate
This ensures Application Gateway only communicates with explicitly trusted backend servers.
For Application Gateway ENMAXEDMSB001P in resource group RG-ENMAX-EDM-UW1-001-P, please validate the following:
- Verify the backend health status under Application Gateway → Backend Health
- Ensure the backend certificate chain (Root/Intermediate CA) is uploaded as Trusted Root Certificate (public .cer format, not PFX)
- Confirm the backend certificate Common Name or SAN matches the backend pool FQDN Validate certificate expiry
- If using Key Vault, confirm Managed Identity access to the certificate.
Follow the Create certificates to allow the backend with Azure Application Gateway and Configure end to end TLS by using Application Gateway with PowerShell for more details.
If still facing an error, please share the error screenshot and other relevant details via private message for further troubleshooting.
Please
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.