How to add a custom CA certificate in Azure API Management

Azure API Management allows installing CA certificates on the machine inside the trusted root and intermediate certificate stores. This functionality should be used if your services require a custom CA certificate.

The article shows how to manage CA certificates of an Azure API Management service instance in the Azure portal. For example, if you use self-signed client certificates, you can upload custom trusted root certificates to API Management.

CA certificates uploaded to API Management can only be used for certificate validation by the managed API Management gateway. If you use the self-hosted gateway, learn how to create a custom CA for self-hosted gateway, later in this article.


We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.



This feature is available in the Premium, Standard, Basic, and Developer tiers of API Management.

For feature availability in the v2 tiers (preview), see the v2 tiers overview.

Upload a CA certificate

CA certificates in the Azure portal

Follow the steps below to upload a new CA certificate. If you have not created an API Management service instance yet, see the tutorial Create an API Management service instance.

  1. Navigate to your Azure API Management service instance in the Azure portal.

  2. In the menu, under Security, select Certificates > CA certificates > + Add.

  3. Browse for the certificate .cer file and decide on the certificate store. Only the public key is needed, so the password is optional.

    Add CA certificate in the Azure portal

  4. Select Save. This operation may take a few minutes.


  • The process of assigning the certificate might take 15 minutes or more depending on the size of the deployment. The Developer SKU has downtime during the process. The Basic and higher SKUs don't have downtime during the process.
  • You can also upload a CA certificate using the New-AzApiManagementSystemCertificate PowerShell command.

Delete a CA certificate

Select the certificate, and select Delete in the context menu (...).

Create custom CA for self-hosted gateway

If you use a self-hosted gateway, validation of server and client certificates using CA root certificates uploaded to API Management service is not supported. To establish trust, configure a specific client certificate so that it's trusted by the gateway as a custom certificate authority.

Use the Gateway Certificate Authority REST APIs to create and manage custom CAs for a self-hosted gateway. To create a custom CA:

  1. Add a certificate .pfx file to your API Management instance.
  2. Use the Gateway Certificate Authority - Create Or Update REST API to associate the certificate with the self-managed gateway.