Front Door managed cert shows "Deployed" but edge nodes still serve expired certificate

Question

Wildcard custom domain on Front Door (Standard/Premium). Managed cert expired April 1. We regenerated the validation token, updated the DNS TXT record, domain moved to Approved, and portal shows "Deployed: 183 day(s) to expiry."

After 2+ hours, edge nodes still serve the expired cert. curl returns SSL certificate problem: certificate has expired. Resource Health shows "Degraded: Custom domain certificate expired (Unplanned)" and has been flapping all day.

az afd secret show returns deploymentStatus: NotStarted despite the portal showing deployed.

What we've done:

• Regenerated validation token via az afd custom-domain regenerate-validation-token
• Updated the _dnsauth TXT record (confirmed via dig)
• Domain validation state: Approved
• No CAA records blocking DigiCert
• CNAME correctly points to Front Door endpoint

Is there a way to force edge propagation, or is this a known delay with wildcard managed certificates?

Answer 1

Hello Hugo Palomares

With Azure Front Door managed certificates, there isn’t a “force propagate” button where rotation and global edge propagation is fully managed by the service and it can take up to 72 hours from the time the new cert is issued before every POP reflects the change. Here’s what to keep in mind:

NOTE: For Certificate auto-rotation window

• For Front Door Standard/Premium, Azure automatically provisions and deploys the renewed cert, but edge-wide propagation can take up to 72 hours.
• If it’s been more than 72 hours since you saw “Deployed” in the portal, then please let us know it should be done from backend.

What you can do right now

• Wait up to the 72 hours window for edge propagation to finish.
• Double-check your DNS CNAME is a single-hop to your Front Door host (no flattening or A/Alias records).
• If after 72 hours the expired cert still persists on any edge, so it should be done from Backend team.

---

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

If these answer your question, click "Upvote" and click "Accept Answer" which may be beneficial to other community members reading this thread.

Answer 2

Hi @ Hugo Palomares,

Welcome to Microsoft Q&A Platform.

It looks like you’ve done all the right validation steps (token regen, TXT record, CNAME, domain Approved), but you’re still seeing the old, expired cert on the edges after a couple of hours. This usually comes down to propagation delays in the Front Door network rather than a CLI bug or something you can “kick” directly.

As pe the MS Doc the Propagation can take up to 72 hours

• Even once the portal flips to “Deployed,” it can take up to three full days for all edge POPs to pick up the new cert.
  
• Unfortunately there’s no “purge cert cache” command or manual API trigger,Front Door handles it internally.

Double-check the CLI status using the command below

az afd custom-domain show --resource-group <RG> --profile-name <FrontDoorName> --name <CustomDomainName>

Look at certificateProvisioningState and certificateStatus. Both should read Succeeded or Deployed.

Wait it out (up to 72 hrs)

• If you’re past that window and edges are still serving the old cert, it’s time to open a support ticket, as the rotation should have completed by then.

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.