Assign/import/issue an auto-renewed App Service Certificate in Azure?

3
votes

I have an App Service Certificate in Azure that is set to auto renew. When I try to import it into the associated App Service, however, I get the error:

App Service Certificate is not issued.

How do I “issue” an App Service Certificate so that it can be assigned to an App Service via import?

App Service Certificate Configuration

To verify the status of the App Service Certificate, I did the following:

  1. Open the “App Service Certificate” under “All Resources”
  2. Click “Certificate Expired” warning (or, alternatively, “Certificate Configuration”)
  3. Confirmed “Certificate successfully imported to Key Vault” (checked)
  4. Confirmed “Domain ownership verified” (checked)
  5. Confirmed “Certificate ready to use in App Service”
  6. Followed instructions under “Step 3: Assign”

App Service Certificate Assignment

To assign the App Service Certificate, I followed the instructions under the Certificate Status’s “Step 3: Assign” window. This is similar to the instructions on Microsoft’s Buy SSL Cert page.

  1. Open the “App Service” under “All Resources”
  2. Click “TSL/SSL Settings”
  3. Click “Private Key Certificates (.pfx)”
  4. Click “Import App Service Certificate”
  5. Click the App Service Certificate (it shows up as expected)
  6. Receive error, “App Service Certificate is not issued.”

Note: The steps above are slightly different than those in the “Certificate Status” page due to changes in the Azure Portal user interface. E.g., “Custom domains and SSL” has been renamed to “TSL/SSL Settings”, and “Certificates” has been renamed to “Private Key Certificates (.pfx)”.

Other Information

As part of troubleshooting this process, I also verified the following:

  1. The certificate is currently marked as expired
  2. “Auto Renew App Service Certificate” is set to “On”
  3. “Manual renewal not allowed at this time… to prevent accidental renewal”
  4. “Rekey is not allowed” since the certificate is not in an issued state
  5. While “Step 3: Assign” reports “Certificate ready to use in App Service”, that step is not checked—presumably because it hasn’t been assigned.

Note: I went through this process last year with this same Subscription, App Service, and App Service Certificate without a problem.

Analysis

The “Step 3: Assign” instructions state “completing all the steps will get the certificate to the Issued state”. It then goes on to say, “An issued App Service certificate may be used on any App Service Web App”. There seems to be a missing step between these, however, as while it reports that “Certificate ready to use in App Service”, the App Service states that the “App Service Certificate is not issued”. How do I get the App Service Certificate to an “Issued” state?

1
azuressl-certificateazure-web-app-serviceazure-keyvault
@JoeyCai, I ended up opening a support ticket with Microsoft. Tier 1 support had me simply work around the issue by purchasing a new certificate. As for a long-term solution, they’ve escalated the problem to the product team. It seems there was some bug in the automatic renewal process that left my new certificate in a limbo state. I’ll report back with their findings assuming they’re able to isolate the issue. In the meanwhile, I’ll be monitoring our certificate renewals carefully. - Jeremy Caney

1 Answers

0
votes

The certificate is currently marked as expired, “Auto Renew App Service Certificate” is set to “On”

As you have said, your certification is expired now, and though you turn on the Auto Renew setting, it does not bind the new cert to the WebApps where the cert it is replacing is currently bound to. You need to manually bind the new cert once it available. Here is an article you could refer to renew your certificate.

Also, if you are creating a new app service certificate and get this error, I suggest you delete it and recreate a new one.