![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 50%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Thank you for reaching out to Microsoft Q&A.
When creating an App Service Managed Certificate for an Azure Function App, the certificate issuance process depends on successful domain validation by the Certificate Authority (DigiCert). Although the Azure portal mentions that the process may take up to 10 minutes, scenarios where the Activity Log repeatedly shows “Get Certificates” without any failure usually indicate that the backend certificate workflow is stuck. In this state, Azure keeps retrying the certificate retrieval operation, but the certificate will not be issued unless the underlying validation completes successfully. This can occur due to DNS propagation issues, missing or restrictive CAA records, or App Service infrastructure-related problems. Unfortunately, the portal may not surface any explicit error, which makes it appear as if the process is still running, even though it will not complete without corrective action.
Refer below points to resolve this issue or as a workaround:
Verify DigiCert Domain Validation Token After initiating the managed certificate creation, Azure attempts to expose a temporary validation file required by DigiCert. You can manually verify this by browsing to:
https://<your-custom-domain>/.well-known/pki-validation/fileauth.txt
If the token never appears after several minutes, it indicates that domain validation is not progressing and the certificate request is unlikely to complete successfully. In such cases, waiting longer will not help.
Check DNS Configuration and CAA Records Ensure that all required DNS records are correctly configured and publicly resolvable:
- The custom domain must correctly resolve to
<appname>.azurewebsites.net. - The TXT record
asuid.<hostname>must exist with the correct value for domain ownership validation. - If your domain uses CAA records, you must explicitly allow DigiCert to issue certificates by adding the following record:
CAA 0 issue "digicert.com"
Missing or restrictive CAA records are a common reason for managed certificate creation getting stuck.
Restart or “Kick” the App Service Infrastructure In some cases, the issue is related to the underlying App Service infrastructure rather than configuration. A practical workaround is to:
- Scale the App Service Plan up or down (for example, from B1 to B2 and back), or
- Move the Function App to a new App Service Plan and reconfigure the custom domain and managed certificate. This forces Azure to reprovision the backend resources and often allows the certificate process to complete successfully.
Apply a Temporary Certificate to Restore Service If the application is already down and immediate recovery is required, consider uploading and binding a temporary SSL certificate (for example, a privately issued or Let’s Encrypt certificate). This restores HTTPS access for clients while you continue troubleshooting or retry managed certificate creation later.Thank you for reaching out to Microsoft Q&A.
When creating an App Service Managed Certificate for an Azure Function App, the certificate issuance process depends on successful domain validation by the Certificate Authority (DigiCert). Although the Azure portal mentions that the process may take up to 10 minutes, scenarios where the Activity Log repeatedly shows “Get Certificates” without any failure usually indicate that the backend certificate workflow is stuck. In this state, Azure keeps retrying the certificate retrieval operation, but the certificate will not be issued unless the underlying validation completes successfully. This can occur due to DNS propagation issues, missing or restrictive CAA records, or App Service infrastructure-related problems. Unfortunately, the portal may not surface any explicit error, which makes it appear as if the process is still running, even though it will not complete without corrective action.
Refer below points to resolve this issue or as a workaround:
Verify DigiCert Domain Validation Token
After initiating the managed certificate creation, Azure attempts to expose a temporary validation file required by DigiCert. You can manually verify this by browsing to:
https://<your-custom-domain>/.well-known/pki-validation/fileauth.txt
If the token never appears after several minutes, it indicates that domain validation is not progressing and the certificate request is unlikely to complete successfully. In such cases, waiting longer will not help.
Check DNS Configuration and CAA Records
Ensure that all required DNS records are correctly configured and publicly resolvable:
- The custom domain must correctly resolve to
<appname>.azurewebsites.net. - The TXT record
asuid.<hostname>must exist with the correct value for domain ownership validation. - If your domain uses CAA records, you must explicitly allow DigiCert to issue certificates by adding the following record:
CAA 0 issue "digicert.com"
Missing or restrictive CAA records are a common reason for managed certificate creation getting stuck.
Restart or “Kick” the App Service Infrastructure
In some cases, the issue is related to the underlying App Service infrastructure rather than configuration. A practical workaround is to:
- Scale the App Service Plan up or down (for example, from B1 to B2 and back), or
- Move the Function App to a new App Service Plan and reconfigure the custom domain and managed certificate.
This forces Azure to reprovision the backend resources and often allows the certificate process to complete successfully.
Apply a Temporary Certificate to Restore Service
If the application is already down and immediate recovery is required, consider uploading and binding a temporary SSL certificate (for example, a privately issued or Let’s Encrypt certificate). This restores HTTPS access for clients while you continue troubleshooting or retry managed certificate creation later.
If the resolution was helpful, kindly take a moment to click on 
and click on Yes for was this answer helpful. And, if you have any further query do let us know.