Share via

App Service Certificate denied

Yacobus 0 Reputation points
2026-04-17T05:10:49.1666667+00:00

Hi guys

Want to ask my Certificate is going to expired in May 2026, I want to auto renewal,

but the certificate now show : Certificate Denied, although in step 2 Verification in detail is success but in the step still not complelete,

What should I do?

cert1

cert2

cert3

Thanks a lot

Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praneeth Maddali 9,015 Reputation points Microsoft External Staff Moderator
    2026-04-17T08:54:01.3766667+00:00

    Hi @Yacobus

    Thank you for reaching out and sharing the screenshots — that helps a lot.

    What you’re seeing is expected behavior with App Service Certificates and can be confusing due to the portal UI:

    • Domain Verification = Successful only confirms that DNS/domain ownership is valid.
    • Certificate Issuance State = Denied means the certificate authority has already failed the issuance or renewal request.
    • Once a certificate enters the Denied state, it cannot be recovered or renewed, even if domain verification later succeeds.

    This commonly happens due to:

    • CA validation timing out or failing during renewal
    • Backend issuance pipeline failures
    • Key Vault permission issues during renewal
    • Recent compliance and issuance flow changes in App Service Certificates

    What to do (supported resolution)

    1. Check the real provisioning state (optional, for confirmation) using: 
         az resource show --ids <certificate-resource-id> --query properties.provisioningState
    2. if the certificate is already Denied:
      • Delete only the certificate (not the domain).
      • Create a new App Service Certificate for the same hostname.
      • Complete domain verification again (DNS TXT or App Service verification).
      • Once the new certificate is Issued, enable Auto Renew.
    3. If the certificate is still Pending Issuance, you can try Renew or Rekey and Sync once—but these do not work after Denied.

    This will get you a fresh certificate and enable automatic renewal for the future.

    Reference:

    https://azure.github.io/AppService/2018/02/20/Troubleshooting-Tools-for-App-Service-Certificate.html

    https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-azure-app-service-certificates

    https://learn.microsoft.com/en-us/cli/azure/resource?view=azure-cli-latest

     Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

    If you have any other questions, let me know in the "comments" and I would be happy to help you

    Was this answer helpful?

    1 person found this answer helpful.
  2. Yacobus 0 Reputation points
    2026-04-21T06:50:19.87+00:00

    Hi

    Thanks for the Answer, we have already recreate the certificate but still show certificate denied,

    our question is this already charge to us?

    in our DNS Management last time we added CAA issue digicert.com only, it this the case (chatgpt suggest remove the CAA record and regenerated certificate)but will it cost twice??

    What should we check again?

    Thanks

    Was this answer helpful?

  3. Alex Burlachenko 20,825 Reputation points MVP Volunteer Moderator
    2026-04-17T08:46:45.95+00:00

    Yacobus hi & thx for join me here at Q&A,

    I guess this one is a bit misleading UI but actually pretty typical with App Service Certificates lifecycle. u have mismatch between “domain verified” and “certificate issuance state”. domain verification = OK but issuance/renewal pipeline = failed so portal shows Certificate Denied. Verification success does NOT mean certificate was issued/renewed, it just means DNS/ownership is fine.

    cert stuck in pending/denied due to CA validation timeout or backend failure. even if u later see “domain verified”, issuance might already be marked failed.

    DNS validation changed or propagated late, CA already rejected request.

    Key Vault / App Service binding issue, especially if cert is linked and renewal tries to push secret.

    known recent changes in App Service Certificates (they are tightening compliance + moving flows), this banner u see is hint something changed in backend pipeline.

    Lets try to do something with it. Check certificate state via CLI, portal UI sometimes lies az resource show --ids <cert-resource-id> --query properties.provisioningState if it shows Failed or Denied, renewal already broke. go to certificate > “Rekey and Sync” or “Renew” manually, this forces new issuance cycle. if still denied, delete only the certificate (NOT domain) and re-create it, same hostname, this is often fastest fix. verify DNS again, especially CNAME or TXT used for validation, make sure no stale records or duplicates. check if cert is linked to Key Vault, if yes ensure access policy allows Microsoft.Web to read/write secrets. check Activity Log for Microsoft.CertificateRegistration events, u will see exact failure reason from CA (this is the only place with truth).

    U already see “Domain Verification Successful”, so problem is NOT DNS anymore, its issuance pipeline or CA-side rejection cached in Azure. U know when it shows “Certificate Denied” after verification success, 80% cases its stuck backend state and easiest fix is recreate cert or trigger rekey. if recreate also fails, then its not config, its platform issue so open support with timestamp + resource ID.

    other words I see domain ok, issuance failed, force new issuance (renew/rekey) or recreate cert.

    rgds,

    Alex

    &

    pls if it helps accept my answer and mark it as an answer

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.