Share via

Azure managed certificates

Tim 20 Reputation points
2026-03-12T13:18:52.1+00:00

Hello,

This article explains that TLS services will have their managed certificates signed by DigiCert Global Root G2 or G3 per Q1 2026.

Since we encountered issues lately with our webapps TLS connections, distrusting the G1 earlier than we expected, we'd like to ensure we understand how and when the G2 and G3 roots are used

  • Which root certificates are exactly used, and what's the support timeline?
  • When and how to tell and configure when our app service uses G2 or G3?

Thanks in advance,

Best regards, Tim

Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

Answer accepted by question author
  1. Golla Venkata Pavani 3,735 Reputation points Microsoft External Staff Moderator
    2026-03-12T14:27:29.01+00:00

    Hi @Tim,

    Thank you for reaching us regarding the issue.

    Azure App Service uses Microsoft‑managed TLS certificates issued by DigiCert. As part of industry‑wide PKI and browser trust changes, Microsoft is migrating all managed TLS certificates from the legacy DigiCert Global Root CA (G1) to DigiCert Global Root G2 and DigiCert Global Root G3. These are the only root certificates used for new and renewed Azure managed certificates. This migration began in late 2025 and is being completed by Q1 2026, ahead of April 15, 2026, when major browsers (Chrome and Mozilla) will stop trusting the G1 root.

    The transition is fully automatic and managed by Microsoft. Existing App Service Managed Certificates are renewed and re‑issued under the new G2/G3 certificate chains without customer intervention. Customers cannot choose, configure, or force whether App Service uses G2 or G3, root and intermediate CA selection is handled entirely by the Azure platform as part of the managed TLS service.

    Customers can verify which root is in use by inspecting the active TLS certificate chain presented by the App Service endpoint. However, there is no App Service setting or configuration option to control G2 versus G3 usage.

    TLS issues observed during this transition are typically caused by client‑side certificate pinning or outdated trust stores that do not trust DigiCert Global Root G2 or G3. Certificate pinning is not recommended with Azure Managed Certificates. If explicit control over the certificate chain or root CA is required, using a customer‑managed certificate instead of an App Service Managed Certificate.

    Reference:
    https://learn.microsoft.com/en-us/azure/security/fundamentals/managed-tls-changes
    https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-certificate-authority-details?tabs=root-and-subordinate-cas-list
    https://learn.microsoft.com/en-us/azure/app-service/industry-wide-certificate-changes

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "accept" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-12T13:19:11.6866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The managed TLS feature across Azure services, including Azure App Service, is moving from DigiCert Global Root CA (G1) to DigiCert Global Root G2 and DigiCert Global Root G3 as part of an industry-wide change driven by upcoming browser root trust requirements.

    1. Roots used and support timeline
    • All Azure managed TLS certificates (including App Service Managed Certificates and App Service Certificates) are migrating from CAs under DigiCert Global Root CA to CAs under DigiCert Global Root G2 and DigiCert Global Root G3.
    • This migration is required because Mozilla and Chrome will distrust DigiCert Global Root CA on April 15, 2026. To maintain trust, Azure will move all managed TLS certificates to G2/G3 before that date.
    • For Azure Front Door, the documentation explicitly states that DigiCert is retiring the G1 root certificate that expires on April 14, 2026, and replacing it with the G2 root certificate, with Azure handling automatic rotation for standard scenarios.
    • For App Service specifically, the “Industry‑wide certificate changes” article clarifies that:
      • App Service Managed Certificates (ASMC) and App Service Certificates (ASC) will both migrate to a new certificate chain as part of these industry‑driven updates.
      • The timeline table shows:
        • Feb–Mar 2026: ASMC migrates to the new chain.
        • Mar–Apr 2026 (TBD): ASC migrates to the new chain and the client authentication EKU is removed.
      • These changes are aligned with the broader “Managed TLS changes” initiative, which is where the G2/G3 migration is defined.

    In summary: the long‑term supported roots for Azure managed TLS are DigiCert Global Root G2 and DigiCert Global Root G3, with migration completing before April 15, 2026. The legacy DigiCert Global Root CA (G1) is being phased out and will be distrusted by major browsers on that date.

    1. Choosing or configuring G2 vs G3 for App Service
    • The managed TLS platform change is handled by Azure and DigiCert; there is no configuration surface in App Service to choose between G2 and G3 for managed certificates.
    • For App Service Managed Certificates and App Service Certificates, the guidance is:
      • Do not pin specific certificates or chains for ASMC, because issuance and rotation are controlled by the service and the chain is changing.
      • For ASC, any pinning should be carefully reviewed and ideally removed, because the chain (including which DigiCert root is used) can change as part of the migration.
    • The App Service documentation explicitly states that:
      • Apps that pin certificates or chains must review and remove pinning before the migration dates to avoid disruption.
      • Certificate pinning is not recommended for ASMC, and may break for ASC due to certificate chain changes.

    Practically, this means:

    • The service will automatically move certificates to CAs under DigiCert Global Root G2 and/or G3 according to the published timelines.
    • Applications should be configured to trust the standard public root store (which will include G2 and G3) rather than pinning to G1 or to specific intermediates/leaf certificates.
    • There is no supported way in App Service to force “use G2” vs “use G3”; that choice is part of the managed PKI operated by Microsoft and DigiCert.

    To avoid repeats of the early distrust issues encountered with G1, the recommended approach is to:

    • Ensure client platforms trust the current public root store (including DigiCert Global Root G2 and G3).
    • Remove any static pinning to DigiCert Global Root CA (G1), specific intermediates, or specific leaf certificates for App Service managed TLS.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.