Merge pull request #311489 from dlepow/certip

ttorble · web-flow · commit 5596febb5186 · 2026-02-08T09:54:06.000Z
[APIM] Managed cert suspension: DNS configuration etc.
diff --git a/articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md b/articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md
@@ -6,7 +6,7 @@ author: dlepow
 ms.service: azure-api-management
 ms.topic: reference
 ai-usage: ai-assisted
-ms.date: 01/26/2026
+ms.date: 02/06/2026
 ms.author: danlep
 ---
 
@@ -36,11 +36,37 @@ If you need to add new managed certificates, plan to do so before August 15, 202
 
 If you already have managed certificates for your custom domains, do the following to ensure continued access:
 
-- Ensure that your API Management service allows [inbound traffic from DigiCert IP addresses on port 80](#allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
+1. Ensure that your API Management service [allows inbound traffic from DigiCert IP addresses on port 80](#step-1-allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
+1. [Configure DNS records](#step-2-configure-dns-records) to resolve your custom domain name.
+1. [Allow API Management service access to port 80](#step-3-allow-api-management-service-access-to-port-80) if you have inbound network restrictions in place.
 
+### Step 1: Allow access to DigiCert IP addresses
 
 [!INCLUDE [api-management-managed-certificate-ip-access.md](../../../includes/api-management-managed-certificate-ip-access.md)]
 
+### Step 2: Configure DNS records
+
+Configure DNS records for your custom domain to point to your API Management gateway. The type of DNS record you need to add depends on your API Management tier.
+
+#### DNS records for Developer, Basic, Standard, or Premium tier
+
+1. Add either a [CNAME](/azure/api-management/configure-custom-domain?tabs=custom#cname-record) or A-record with your DNS provider. 
+
+1. Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools.
+
+#### DNS records for Consumption tier
+
+1. Add either a [CNAME](/azure/api-management/configure-custom-domain?tabs=custom#cname-record) or [TXT](/azure/api-management/configure-custom-domain?tabs=managed#txt-record) record with your DNS provider. If you configure both, the TXT record takes precedence.
+1. Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, you need to create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools
+
+### Step 3: Allow API Management service access to port 80
+
+If you have inbound network restrictions configured for your API Management service, allow the Azure API Management resource provider access on port 80. This is required to allow inbound traffic to support certificate revocation list (CRL) checks, certificate renewal, and management communication. 
+
+1. In the Azure portal, go to **Network security groups**.
+1. Select the network security group associated with your API Management subnet.
+1. Under **Settings** > **Inbound security rules**, add a new rule allowing traffic on port 80 from the **ApiManagement** service tag to the API Management instance.
+
 ## Help and support
 
 If you have questions, get answers from community experts in [Microsoft Q&A](https://aka.ms/apim/azureqa/change/captcha-2022). If you have a support plan and need technical help, create a [support request](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).
diff --git a/articles/api-management/configure-custom-domain.md b/articles/api-management/configure-custom-domain.md
@@ -126,6 +126,8 @@ API Management offers a free, managed TLS certificate for your domain, if you do
 * Supports only public domain names
 * Can only be configured when updating an existing API Management instance, not when creating an instance
 
+### Allow access to DigiCert IP addresses
+
 [!INCLUDE [api-management-managed-certificate-ip-access.md](../../includes/api-management-managed-certificate-ip-access.md)]
 
 ---
diff --git a/includes/api-management-managed-certificate-ip-access.md b/includes/api-management-managed-certificate-ip-access.md
@@ -7,8 +7,6 @@ ms.author: danlep
 ms.custom:
 ---
 
-### Allow access to DigiCert IP addresses
-
 Starting January 2026, Azure API Management needs inbound access on port 80 to [specific DigiCert IP addresses](https://knowledge.digicert.com/alerts/ip-address-domain-validation?utm_medium=organic&utm_source=docs-digicert&referrer=https://docs.digicert.com/en/certcentral/manage-certificates/domain-control-validation-methods/automatic-domain-control-validation-check.html) to renew (rotate) your managed certificate.  
 
 If your API Management instance restricts incoming IP addresses, we recommend that you remove or modify existing IP restrictions by using one of the following methods based on your deployment architecture.
