| title | Azure API Management - Managed certificates suspension for custom domains (August 2025) |
|---|---|
| description | Azure API Management is temporarily suspending creation of managed certificates for custom domains from August 15, 2025 to June 30, 2026 due to industry-wide changes in domain validation. |
| services | api-management |
| author | dlepow |
| ms.service | azure-api-management |
| ms.topic | reference |
| ai-usage | ai-assisted |
| ms.date | 04/03/2026 |
| ms.author | danlep |
[!INCLUDE premium-dev-standard-basic.md]
Important
The suspension period for managed certificates was recently extended to June 30, 2026.
Creation of Azure-managed certificates for custom domains in API Management will be temporarily turned off from August 15, 2025 to June 30, 2026. Existing managed certificates will be autorenewed as long as your API Management service allows inbound traffic from DigiCert IP addresses on port 80 and DNS is properly configured.
In the classic service tiers, Azure API Management offers free, managed TLS certificates for custom domains (preview), allowing customers to secure their endpoints without purchasing and managing their own certificates. Because of an industry-wide deprecation of CNAME-based Domain Control Validation (DCV), our Certificate Authority (CA), DigiCert, is moving to a new open-source software (OSS) domain control validation (DCV) platform that provides transparency and accountability increasing the trustworthiness of domain validation. As part of this transition, DigiCert will deprecate support for the legacy CNAME Delegation DCV workflow. This migration requires us to temporarily suspend the creation of managed certificates for custom domains.
Note that this does not impact the standard CNAME DCV workflow (where DigiCert validates a random value in the CNAME record) which is still supported in the OSS validation system. This change affects several Azure services that currently rely on the soon-to-be deprecated CNAME for automated certificate issuance and renewal.
You're affected if you plan to create new managed certificates for custom domains in Azure API Management between August 15, 2025 and June 30, 2026.
As part of this change, starting January 2026, for Azure API Management to be able to renew (rotate) your existing managed certificate, inbound access is required on port 80 to allow specific DigiCert IP addresses.
The suspension of managed certificates for custom domains will be enforced from August 15, 2025 to March 15, 2026. The capability to create managed certificates will resume after the migration to the new validation platform is complete.
If you need to add new managed certificates, plan to do so before August 15, 2025 or after June 30, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
If you already have managed certificates for your custom domains, do the following to ensure continued access:
- Ensure that your API Management service allows inbound traffic from DigiCert IP addresses on port 80. This access is now required for the certificate autorenewal process.
- Configure DNS records to resolve your custom domain name.
- Allow API Management service access to port 80 if you have inbound network restrictions in place.
[!INCLUDE api-management-managed-certificate-ip-access.md]
Configure DNS records for your custom domain to point to your API Management gateway. The type of DNS record you need to add depends on your API Management tier.
-
Add either a CNAME or A-record with your DNS provider.
-
Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools.
- Add either a CNAME or TXT record with your DNS provider. If you configure both, the TXT record takes precedence.
- Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, you need to create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools
If you have inbound network restrictions configured for your API Management service, allow the Azure API Management resource provider access on port 80. This is required to allow inbound traffic to support certificate revocation list (CRL) checks, certificate renewal, and management communication.
- In the Azure portal, go to Network security groups.
- Select the network security group associated with your API Management subnet.
- Under Settings > Inbound security rules, add a new rule allowing traffic on port 80 from the ApiManagement service tag to the API Management instance.
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request.