Unable to create managed certificate for app service

Question

Unable to create managed certificate for app service

Grant Jaquest 20

We've had an app service that has been running for a few years with a managed certificate. These always auto renewed. However, this morning there was an issue with the certificate for a deployment slot expiring. For whatever reason, it didn't auto renew.

The Azure portal advised to delete and re-add the certificate and bindings. I successfully managed to delete the certificate. However, when I try to add a new managed certificate, the operation never completes.

I've tried deleting the custom domain and setting it back up again. All validation checks pass. However, I still get the same issue of the certificate and binding operations never completing.

I've checked all the DNS settings, everything seems correct to me. CNAME and TXT records for the subdomain are there.

Without any error message, I'm at a slight loss of what to try next. I need to resolve this asap.

Thanks.

Praneeth Maddali 5,730 Reputation points Microsoft External Staff Moderator

2026-02-18T13:22:24.58+00:00

HI @Grant Jaquest

App Service managed certificate creation and SNI binding are asynchronous backend operations. If a previous certificate or binding is still being finalized (even after deletion), new certificate requests can remain in Accepted / Running / Failed state for some time. Once the background operation fully clears, the binding completes automatically.

You can review certificate state using:

Azure Portal > App Service Certificates > Check Status & Expiration

Microsoft documents this behavior under certificate provisioning, issuance, and renewal flows.

Before we proceed further, could you please confirm whether the domain is behind any proxy/WAF (e.g., Cloudflare) or IP restrictions?

reference :

https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-azure-app-service-certificates

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Grant Jaquest 20 Reputation points

2026-02-18T14:18:06.9333333+00:00

Hi @Praneeth Maddali

Thanks for you reply.

When I run the az webconfig ssl list for my resource group, the certificate for the deployment slot is not showing.

Neither the root domain or subdomain are behind a proxy or WAF.

The operation to add the certificate has been running for over an hour now. No error messages.
Grant Jaquest 20 Reputation points

2026-02-18T14:28:05.41+00:00

If I try to add the certificate again, I get the following error:

"Error adding managed certificate: Cannot modify this certificate because another operation is in progress"

However, I can't see the progress of the in progress operation.

Kuznos Christos 20

Hi @Grant Jaquest ,

Please try the following steps.

Run this to see if the certificate exists and is stuck.

# Check within your resource group
Get-AzResource -ResourceGroupName "<your-rg>" -ResourceType "Microsoft.Web/certificates"

# Check across the whole subscription
Get-AzResource -ResourceType "Microsoft.Web/certificates"

Force delete a stuck certificate

Remove-AzResource -ResourceId "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Web/certificates/<cert-name>" -Force -Verbose

Check activity log for stuck operations

Get-AzActivityLog -ResourceGroupName "<your-rg>" -StartTime (Get-Date).AddDays(-1) | 
    Where-Object { $_.Status.Value -eq "Running" -or $_.Status.Value -eq "Accepted" } | 
    Select-Object EventTimestamp, OperationName, Status, ResourceId

Remove and re-add the hostname binding on the slot

# Remove the hostname binding from the slot
Remove-AzWebAppCustomDomain -ResourceGroupName "<rg>" -WebAppName "<app-name>" -Name "<your-hostname>" -Slot "<slot-name>"

# Wait a few minutes, then re-add it
Set-AzWebApp -ResourceGroupName "<rg>" -Name "<app-name>" -Slot "<slot-name>" -HostNames @("<your-hostname>")

Then attempt to create the managed certificate again

New-AzWebAppSSLBinding -ResourceGroupName "<rg>" -WebAppName "<app-name>" -Slot "<slot-name>" -Name "<your-hostname>" -SslState SniEnabled

If they did the trick mark it as accepted so more with the same issue be benefited
King regards,
Christos

Answer accepted by question author

1 additional answer

Your answer

Praneeth Maddali 5,730 Reputation points Microsoft External Staff Moderator

2026-02-18T13:22:24.58+00:00

HI @Grant Jaquest

App Service managed certificate creation and SNI binding are asynchronous backend operations. If a previous certificate or binding is still being finalized (even after deletion), new certificate requests can remain in Accepted / Running / Failed state for some time. Once the background operation fully clears, the binding completes automatically.

You can review certificate state using:

Azure Portal > App Service Certificates > Check Status & Expiration

Microsoft documents this behavior under certificate provisioning, issuance, and renewal flows.

Before we proceed further, could you please confirm whether the domain is behind any proxy/WAF (e.g., Cloudflare) or IP restrictions?

reference :

https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-azure-app-service-certificates

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Grant Jaquest 20 Reputation points

2026-02-18T14:18:06.9333333+00:00

Hi @Praneeth Maddali

Thanks for you reply.

When I run the az webconfig ssl list for my resource group, the certificate for the deployment slot is not showing.

Neither the root domain or subdomain are behind a proxy or WAF.

The operation to add the certificate has been running for over an hour now. No error messages.
Grant Jaquest 20 Reputation points

2026-02-18T14:28:05.41+00:00

If I try to add the certificate again, I get the following error:

"Error adding managed certificate: Cannot modify this certificate because another operation is in progress"

However, I can't see the progress of the in progress operation.
Kuznos Christos 20 Reputation points

2026-02-18T14:53:52.9+00:00

Hi @Grant Jaquest ,

Please try the following steps.

Run this to see if the certificate exists and is stuck.

# Check within your resource group Get-AzResource -ResourceGroupName "<your-rg>" -ResourceType "Microsoft.Web/certificates" # Check across the whole subscription Get-AzResource -ResourceType "Microsoft.Web/certificates"

Force delete a stuck certificate

Remove-AzResource -ResourceId "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Web/certificates/<cert-name>" -Force -Verbose

Check activity log for stuck operations

Get-AzActivityLog -ResourceGroupName "<your-rg>" -StartTime (Get-Date).AddDays(-1) | Where-Object { $_.Status.Value -eq "Running" -or $_.Status.Value -eq "Accepted" } | Select-Object EventTimestamp, OperationName, Status, ResourceId

Remove and re-add the hostname binding on the slot

# Remove the hostname binding from the slot Remove-AzWebAppCustomDomain -ResourceGroupName "<rg>" -WebAppName "<app-name>" -Name "<your-hostname>" -Slot "<slot-name>" # Wait a few minutes, then re-add it Set-AzWebApp -ResourceGroupName "<rg>" -Name "<app-name>" -Slot "<slot-name>" -HostNames @("<your-hostname>")

Then attempt to create the managed certificate again

New-AzWebAppSSLBinding -ResourceGroupName "<rg>" -WebAppName "<app-name>" -Slot "<slot-name>" -Name "<your-hostname>" -SslState SniEnabled

If they did the trick mark it as accepted so more with the same issue be benefited
King regards,
Christos

Answer 1

HI @Grant Jaquest

Thanks for the details from deep investigation we found the root cause of the issue. Your domain aXX.XXXX.cX.XX is inheriting a CAA record that only authorizes Let’s Encrypt, while Azure Managed Certificates are issued by DigiCert. Because DigiCert isn’t authorized in your DNS, the certificate creation and renewal process is being blocked.

Although i have seen that some import attempts succeeded, the full issuance and binding workflow cannot complete until DigiCert is allowed to validate the domain.

To resolve this, please update your DNS CAA records to include:

0 issue "digicert.com"

Once DigiCert is authorized, Azure will be able to issue and bind the new managed certificate successfully. Let me know once the CAA record is updated, and I can help verify the status again

Reference :

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli

https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?pivots=azure-portal

https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-azure-app-service-certificates

Please click "Accept the answer” and Yes, this can be beneficial to other community members.

If you have any other questions, let me know in the "comments" and I would be happy to help you

Grant Jaquest 20 Reputation points

2026-02-18T16:25:43.4166667+00:00

Thanks for all the help.
Praneeth Maddali 5,730 Reputation points Microsoft External Staff Moderator

2026-02-18T16:32:18.92+00:00

Hi @Grant Jaquest I’m glad to hear your positive response and appreciate you sharing the update.

Just checking in to see if the earlier answer helped resolve your query. If it did, please click “Accept the answer” and consider upvoting it—this can be helpful for other community members who might face a similar issue.

If you have any further questions or need additional assistance, please feel free to let us know. We’re here to help!

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Unable to create managed certificate for app service

1 additional answer

Your answer