| title | Add a Custom CA Certificate - API Management | Microsoft Docs | |
|---|---|---|
| description | Learn how to add a custom CA certificate in Azure API Management. Also learn how to delete a certificate. | |
| services | api-management | |
| author | dlepow | |
| ms.service | azure-api-management | |
| ms.topic | how-to | |
| ms.date | 02/17/2026 | |
| ms.author | danlep | |
| ms.custom |
|
APPLIES TO: Developer | Basic | Standard | Premium
Azure API Management allows you to upload and install CA certificates on the machine inside the trusted root and intermediate certificate stores. Use this functionality if your services require a custom CA certificate.
This article shows how to manage CA certificates of an API Management instance in the Azure portal. For example, if you use self-signed client certificates, you can upload custom trusted root certificates to API Management.
[!INCLUDE api-management-ca-certificate-v2-tiers]
CA certificates uploaded to API Management can be used for certificate validation only by the managed API Management gateway. If you use the self-hosted gateway, you can learn how to create a custom CA for self-hosted gateway later in this article.
[!INCLUDE api-management-workspace-availability]
[!INCLUDE api-management-service-update-behavior]
[!INCLUDE updated-for-az]
Complete the following steps to upload a new CA certificate. If you haven't created an API Management instance yet, see Create an API Management service instance.
-
Go to your Azure API Management instance in the Azure portal.
-
In the left menu, under Security, select Certificates. On the Certificates page, select CA certificates > + Add.
-
In the Upload CA certificate window, select the file icon and browse for the certificate .cer file. In the Store box, select a certificate store. Only the public key is needed, so the password is optional.
:::image type="content" source="media/api-management-howto-ca-certificates/02.png" alt-text="Screenshot that shows the steps for adding a CA certificate in the Azure portal." lightbox="media/api-management-howto-ca-certificates/02.png":::
-
Select the Add button at the bottom of the window, and then select Save. This operation might take a few minutes.
Note
You can also upload a CA certificate by using the New-AzApiManagementSystemCertificate PowerShell command.
Select the certificate, and then select Delete in the ... menu.
If you use a self-hosted gateway, validation of server and client certificates via CA root certificates uploaded to API Management service isn't supported. To establish trust, configure a specific client certificate so that it's trusted by the gateway as a custom certificate authority.
Use the Gateway Certificate Authority REST APIs to create and manage custom CAs for a self-hosted gateway. To create a custom CA:
- Add a certificate .pfx file to your API Management instance.
- Use the Gateway Certificate Authority - Create Or Update REST API to associate the certificate with the self-managed gateway.
API Management currently enforces a limit of 10 CA certificates per instance.