Conneciton to bakend with self signed cert not working.

Question

Conneciton to bakend with self signed cert not working.

Rodney De Beer 0

Hello.

We are running a Standard v2 tier APIM.

One of our backends uses a private CA to sign its cert. I have followed the Microsoft documentation here: https://learn.microsoft.com/en-us/azure/api-management/backends?tabs=portal

The private CA thumb print has been captured against the backend and the backend referenced in the inbound policy for the API.

Yet when invoking the API I still get the error below:

{
	"messages": [
		"Error occured while calling backend service.",
		"The remote certificate was rejected by the provided remoteCertificateValidationCallback."
	]
}

Feels like I am missing a config step. Surely the cert itself needs to be imported somewhere?

Please help.

Cheers

Rodney De Beer 0 Reputation points

2026-02-13T04:53:53.1566667+00:00

"Upload the Root CA Certificate" - Please indicate how I can do this for a standard v2 tier APIM?

Thanks.
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-13T11:07:57.46+00:00
Hi @Rodney De Beer ,

Thanks for reaching out to Microsoft Q&A.

The remote certificate was rejected by the provided remoteCertificateValidationCallback

The error message you're seeing indicates that the certificate presented by the backend is being rejected.

Here are a few things you can check and try to resolve the issue:

Disable Certificate Chain Validation: If you're using a self-signed certificate, you may need to disable certificate chain validation. This allows API Management to communicate with your backend without requiring a valid certificate chain. You can do this by using the PowerShell cmdlet as follows:

$context = New-AzApiManagementContext -ResourceGroupName 'ContosoResourceGroup' -ServiceName 'ContosoAPIMService' New-AzApiManagementBackend -Context $context -Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true

This sets the -SkipCertificateChainValidation parameter to True, which might help in your case.

Upload CA Certificates: If you’re operating with a custom CA certificate, it needs to be uploaded to the APIM instance. Here’s the documentation on how to add a custom CA certificate.

Check Certificate Upload: Make sure that the self-signed certificate (or any CA certificates) has been uploaded to the API Management service correctly, and that its thumbprint is noted and referenced in your API’s backend configuration. You can upload the certificate directly through the Azure portal under the Certificates section in your API Management service.

Configuration Validation: Ensure that the API's inbound policies are correctly referencing the certificate and that all policy steps are in place according to this guide.

Hope this helps!
Rodney De Beer 0 Reputation points

2026-02-13T12:29:06.5333333+00:00

Hello Pravallika.

Thank you so much for trying to help. We are running the v2 standard tier. Microsoft changed how CA certs are handled in this tier.

This link describes it: https://learn.microsoft.com/en-us/azure/api-management/v2-service-tiers-overview

So, I cannot use the way you described to upload the cert. I need to do it via the backend mechanism. this link: https://learn.microsoft.com/en-us/azure/api-management/backends?tabs=portal

in fact, there is not even a link to "CA certificates" on the Security / Certificates section in our v2 tier apim.

I have also tried to disable the cert validation for the backend:

But in that document link i gave, Microsoft mentions this:

Nowhere does Microsoft tell you how to actually add the certificate to the backend. they only mention that you should add the thumb print: https://learn.microsoft.com/en-us/azure/api-management/backends?tabs=portal#configure-ca-certificate.

Utterly frustrated at the moment.
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-17T17:26:33.4766667+00:00

Hi @Rodney De Beer ,

Apologies for the delay in response.

Have you tried adding the certificate under Backend=>Authorization Credentials?
Rodney De Beer 0 Reputation points

2026-02-17T17:42:58.39+00:00

Hello again Pravallika!

I have yes. But you can only create the thumbprint in the backend setup.

I do not know where to upload the actual cert in a v2 standard tier APIM environement.. In other tiers it is done in the Security section:

We are suspecting that we need to store the cert in an Azure KeyVault, link our APIM to the vault and then the APIM will hopefully pick up the thumbprint in the Vault to get the correct cert chain.

I will let you know if that is the solution.

Cheers
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-17T17:49:16.4466667+00:00

Hi @Rodney De Beer ,

Could you please search for certificates in Search bar. I can see the option is visible under Security after searching directly. It wasn't visible before.
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-18T08:38:02.9866667+00:00

Hi @Rodney De Beer , following up to see if you had a chance to try the above suggestion and if it was helpful. Please let me know if you have any questions.
Rodney De Beer 0 Reputation points

2026-02-18T09:44:48.2633333+00:00

Hi P. I can find the security link, but as you can see from your screen print even. There is no place to add a CA certificate.

Rodney
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-20T18:10:44.7833333+00:00

HI @Rodney De Beer ,

Thanks for reaching out to Microsoft Q&A.

Please search for certificates in Search bar. I can see the option is visible under Security after searching directly. It wasn't visible before.

I would recommend uploading CA certificate using Azure Key Vault under Security=>Certificates as below.

Hope this helps!
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-23T09:57:31.5433333+00:00

Hi @Rodney De Beer , following up to see if you had a chance to check the above suggestion and if it was helpful. Please let me know if you have any questions.
Rodney De Beer 0 Reputation points

2026-02-24T10:43:19.92+00:00

Hello. I am currently working with Microsoft on this. We have had our first call and the issues is now finding its way through the Microsoft support level stack. Will let you know on the outcome when its sorted.

Cheers
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-27T08:51:28.92+00:00

Hi @Rodney De Beer , do we have any update on this issue?

1 answer

Your answer

Rodney De Beer 0 Reputation points

2026-02-13T04:53:53.1566667+00:00

"Upload the Root CA Certificate" - Please indicate how I can do this for a standard v2 tier APIM?

Thanks.
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-13T11:07:57.46+00:00

Hi @Rodney De Beer ,

Thanks for reaching out to Microsoft Q&A.

The remote certificate was rejected by the provided remoteCertificateValidationCallback

The error message you're seeing indicates that the certificate presented by the backend is being rejected.

Here are a few things you can check and try to resolve the issue:

Disable Certificate Chain Validation: If you're using a self-signed certificate, you may need to disable certificate chain validation. This allows API Management to communicate with your backend without requiring a valid certificate chain. You can do this by using the PowerShell cmdlet as follows:

$context = New-AzApiManagementContext -ResourceGroupName 'ContosoResourceGroup' -ServiceName 'ContosoAPIMService' New-AzApiManagementBackend -Context $context -Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true

This sets the -SkipCertificateChainValidation parameter to True, which might help in your case.

Upload CA Certificates: If you’re operating with a custom CA certificate, it needs to be uploaded to the APIM instance. Here’s the documentation on how to add a custom CA certificate.

Check Certificate Upload: Make sure that the self-signed certificate (or any CA certificates) has been uploaded to the API Management service correctly, and that its thumbprint is noted and referenced in your API’s backend configuration. You can upload the certificate directly through the Azure portal under the Certificates section in your API Management service.

Configuration Validation: Ensure that the API's inbound policies are correctly referencing the certificate and that all policy steps are in place according to this guide.

Hope this helps!
Rodney De Beer 0 Reputation points

2026-02-13T12:29:06.5333333+00:00

Hello Pravallika.

Thank you so much for trying to help. We are running the v2 standard tier. Microsoft changed how CA certs are handled in this tier.

This link describes it: https://learn.microsoft.com/en-us/azure/api-management/v2-service-tiers-overview

So, I cannot use the way you described to upload the cert. I need to do it via the backend mechanism. this link: https://learn.microsoft.com/en-us/azure/api-management/backends?tabs=portal

in fact, there is not even a link to "CA certificates" on the Security / Certificates section in our v2 tier apim.

I have also tried to disable the cert validation for the backend:

But in that document link i gave, Microsoft mentions this:

Nowhere does Microsoft tell you how to actually add the certificate to the backend. they only mention that you should add the thumb print: https://learn.microsoft.com/en-us/azure/api-management/backends?tabs=portal#configure-ca-certificate.

Utterly frustrated at the moment.
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-17T17:26:33.4766667+00:00

Hi @Rodney De Beer ,

Apologies for the delay in response.

Have you tried adding the certificate under Backend=>Authorization Credentials?
Rodney De Beer 0 Reputation points

2026-02-17T17:42:58.39+00:00

Hello again Pravallika!

I have yes. But you can only create the thumbprint in the backend setup.

I do not know where to upload the actual cert in a v2 standard tier APIM environement.. In other tiers it is done in the Security section:

We are suspecting that we need to store the cert in an Azure KeyVault, link our APIM to the vault and then the APIM will hopefully pick up the thumbprint in the Vault to get the correct cert chain.

I will let you know if that is the solution.

Cheers
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-17T17:49:16.4466667+00:00

Hi @Rodney De Beer ,

Could you please search for certificates in Search bar. I can see the option is visible under Security after searching directly. It wasn't visible before.
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-18T08:38:02.9866667+00:00

Hi @Rodney De Beer , following up to see if you had a chance to try the above suggestion and if it was helpful. Please let me know if you have any questions.
Rodney De Beer 0 Reputation points

2026-02-18T09:44:48.2633333+00:00

Hi P. I can find the security link, but as you can see from your screen print even. There is no place to add a CA certificate.

Rodney
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-20T18:10:44.7833333+00:00

HI @Rodney De Beer ,

Thanks for reaching out to Microsoft Q&A.

Please search for certificates in Search bar. I can see the option is visible under Security after searching directly. It wasn't visible before.

I would recommend uploading CA certificate using Azure Key Vault under Security=>Certificates as below.

Hope this helps!
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-23T09:57:31.5433333+00:00

Hi @Rodney De Beer , following up to see if you had a chance to check the above suggestion and if it was helpful. Please let me know if you have any questions.
Rodney De Beer 0 Reputation points

2026-02-24T10:43:19.92+00:00

Hello. I am currently working with Microsoft on this. We have had our first call and the issues is now finding its way through the Microsoft support level stack. Will let you know on the outcome when its sorted.

Cheers
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-27T08:51:28.92+00:00

Hi @Rodney De Beer , do we have any update on this issue?

Answer 1

It seems like you are encountering issues with the connection to your backend service that uses a self-signed certificate signed by a private CA. Here are some steps you can take to troubleshoot and resolve the issue:

Upload the Root CA Certificate: Ensure that the root CA certificate of your private CA is uploaded to your Azure API Management instance. This is necessary for the API Management service to validate the backend service certificate. If you haven't done this yet, follow the guidance on how to add a custom CA certificate in Azure API Management.
Check Certificate Chain: Verify that the entire certificate chain is correctly configured. If your backend service certificate is issued by a private CA, you must upload the corresponding root CA certificate to the API Management instance.
Certificate Validation Settings: Make sure that the certificate validation settings are correctly configured in your API Management backend settings. If you are using a self-signed certificate, ensure that the certificate chain validation is enabled unless you have a specific reason to disable it.
Policy Configuration: Double-check the inbound policy for your API to ensure that it references the correct backend and that the client certificate is being sent properly.
Logs and Diagnostics: Utilize Azure's diagnostic tools to gather more information about the error. This can help identify if there are issues with the certificate validation process.

If you have followed these steps and are still encountering issues, consider reviewing the detailed error messages and logs for more context on the failure.

References:

Share via

Conneciton to bakend with self signed cert not working.

1 answer

Your answer