App Hosting App Service TLS field-manual-complete field-manual-complete

App Service managed certificate

An App Service managed certificate is a free certificate that Azure App Service can issue for an eligible custom domain on a web app or function app. It is meant to secure browser and API traffic over HTTPS without a team buying, uploading, renewing, and rotating a certificate manually. It is convenient for straightforward custom domains, but it has limits. You still need the domain mapped correctly, a TLS binding configured, and a plan for cases where managed certificate eligibility or validation does not fit the architecture.

Back to glossary browser Open Microsoft Learn source
Aliases
Azure App Service managed certificate, app service managed certificate
Difficulty
Intermediate
CLI mappings
5
Last verified
2026-05-30

Microsoft Learn

Microsoft Learn describes a free App Service managed certificate as a TLS server certificate managed by App Service for eligible custom DNS names. App Service handles renewal automatically while prerequisites remain valid, and the certificate is used to secure HTTPS bindings for custom domains.

Microsoft Learn: Add and manage TLS/SSL certificates in Azure App Service2026-05-30

Technical context

Technically, an App Service managed certificate belongs to the App Service TLS configuration for a custom hostname. The app must have a verified custom domain, and App Service creates and renews the certificate while requirements remain satisfied. Operators manage it through certificate and TLS binding settings, Azure CLI webapp config commands, DNS records, and custom domain validation. It interacts with SNI bindings, HTTPS-only settings, Front Door or Traffic Manager designs, private access restrictions, deployment slots, and certificate inventory across App Service resources.

Why it matters

App Service managed certificate matters because expired or missing TLS certificates cause immediate customer-visible outages. Teams often remember application deployments but forget certificate renewal dates, DNS validation, or binding drift. A managed certificate reduces renewal burden for simple App Service custom domains and helps small teams enforce HTTPS without building a certificate operations process from scratch. It also teaches an important boundary: managed does not mean universal. Architects still need to verify domain eligibility, public validation requirements, hostname bindings, private access patterns, and whether a bring-your-own or Key Vault certificate is more appropriate. That distinction prevents teams from discovering certificate limits during an outage.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the App Service Certificates or TLS/SSL settings blades, managed certificates appear with hostname, thumbprint, status, expiry, and binding options for custom domains. during reviews

Signal 02

In Custom domains, App Service shows whether the hostname is validated, which DNS records are expected, and whether TLS binding protects the name. before launch

Signal 03

In Azure CLI and Resource Graph inventory, web app hostNameSslStates and certificate properties reveal active thumbprints, SSL state, expiration, and hostname coverage. during fleet reviews

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Secure a straightforward App Service custom domain without buying and manually renewing a public TLS certificate.
  • Reduce certificate operations burden for many small web apps that only need basic HTTPS on verified hostnames.
  • Inventory App Service apps before a compliance review to find custom domains without valid TLS bindings.
  • Troubleshoot browser certificate warnings by comparing hostname, DNS validation, binding, thumbprint, and expiration state.
  • Decide when managed certificates are insufficient and a Key Vault, wildcard, edge, or bring-your-own certificate pattern is needed.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Nonprofit fundraising site avoids launch-day TLS failure

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A nonprofit rebuilt its donation site on App Service before a national fundraising campaign. The old certificate was expiring two days after launch, and the volunteer team had no renewal runbook.

Business/Technical Objectives
  • Secure the custom donation domain before campaign launch.
  • Remove manual certificate renewal from volunteers.
  • Prove HTTPS readiness to payment partners.
  • Create a simple fallback plan if validation failed.
Solution Using App Service managed certificate

The web team mapped the custom domain to App Service, verified DNS, created an App Service managed certificate, and bound it with SNI SSL. Azure CLI captured hostNameSslStates, thumbprint, HTTPS-only configuration, and certificate inventory for the payment partner checklist. Synthetic tests checked both apex and www redirects after the binding. Because donations were time-sensitive, the team also documented how to upload a purchased certificate if managed certificate validation failed. DNS ownership and renewal-monitoring responsibilities were assigned to named staff instead of an ad hoc volunteer channel. The team rehearsed the fallback path once before launch weekend.

Results & Business Impact
  • The campaign launched with zero browser certificate warnings.
  • Payment partner validation finished in one afternoon instead of three days.
  • Manual certificate renewal work was eliminated for the simple custom domain.
  • Donation conversion stayed stable during the highest traffic hour.
Key Takeaway for Glossary Readers

App Service managed certificates are valuable when a small team needs reliable HTTPS without running a certificate program.

Case study 02

Hotel booking platform inventories risky hostnames

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A hospitality software company hosted hundreds of small customer booking portals on App Service. Support found several custom domains still using old certificates after hotel rebrands.

Business/Technical Objectives
  • Find every App Service custom domain without a healthy TLS binding.
  • Reduce support tickets caused by browser warnings.
  • Standardize certificate evidence across customer portals.
  • Flag domains that needed certificates beyond the managed option.
Solution Using App Service managed certificate

Operations built a CLI inventory that listed web apps, custom hostnames, SSL states, thumbprints, and expiry dates across resource groups. Straightforward customer domains were moved to App Service managed certificates after DNS validation. Portals needing wildcard coverage or centralized customer-owned certificates were flagged for Key Vault or bring-your-own certificate handling. The inventory ran nightly and posted exceptions to the service desk. Runbooks now require a hostname, DNS owner, certificate type, thumbprint, and expiry evidence before a rebranded booking portal is marked complete. Customer-success teams received the same export for renewal conversations.

Results & Business Impact
  • Browser warning tickets fell by 82 percent in two months.
  • TLS inventory time dropped from five days to forty minutes.
  • Thirty-one stale bindings were cleaned up before customer complaints.
  • Wildcard and managed-certificate cases were separated into clear support queues.
Key Takeaway for Glossary Readers

Managed certificates help most when fleet inventory identifies where they fit and where they do not.

Case study 03

B2B API provider chooses the right TLS pattern

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A B2B API provider planned to place App Service behind Front Door with private origin access. Engineers initially assumed every custom domain could use an App Service managed certificate at both the edge and origin.

Business/Technical Objectives
  • Protect public client traffic at the edge.
  • Keep origin traffic encrypted and controlled.
  • Avoid renewal surprises caused by private access design.
  • Document which certificate type belonged at each layer.
Solution Using App Service managed certificate

Architects reviewed TLS termination as part of ingress design. Front Door handled the customer-facing custom domain and certificate lifecycle, while App Service used an origin hostname and controlled access path. For internal diagnostics and fallback hostnames, the team evaluated whether App Service managed certificates were eligible or whether an uploaded certificate was required. Azure CLI checks recorded custom domain bindings, thumbprints, and HTTPS-only state before the first partner test. The design document separated edge TLS, origin TLS, DNS ownership, certificate renewal owners, and monitoring alerts.

Results & Business Impact
  • Partner API tests completed with no certificate-name mismatch errors.
  • A planned private-origin change did not break certificate renewal unexpectedly.
  • TLS design review time dropped from two weeks to four days.
  • The operations team gained separate alerts for edge and origin certificate health.
Key Takeaway for Glossary Readers

App Service managed certificates are part of the ingress design, not a substitute for choosing the right TLS boundary.

Why use Azure CLI for this?

As an Azure engineer, I use Azure CLI for App Service managed certificate work because certificate health is a fleet problem. The portal is fine for one app, but CLI can inventory custom hostnames, TLS bindings, managed certificates, HTTPS-only state, and expired or near-expiry certificates across resource groups. It also lets me prove DNS and binding state before a go-live. During an outage, CLI output quickly shows whether the app has the hostname, whether a binding exists, which thumbprint is active, and whether automation changed settings after the last successful renewal. The same command can be scheduled, reviewed, and compared across every app.

CLI use cases

  • List web app hostnames and SSL states to find domains missing a valid binding.
  • Create or inspect managed certificates and record thumbprints for change evidence.
  • Bind a certificate to a custom hostname after DNS validation has completed.
  • Check HTTPS-only settings and TLS minimum version across a fleet of App Service apps.
  • Export certificate expiry and hostname coverage for renewal monitoring and security review.

Before you run CLI

  • Confirm the app name, resource group, subscription, custom hostname, and DNS owner before creating or binding a certificate.
  • Verify the hostname is already mapped and validated in App Service; certificate creation cannot fix incorrect DNS.
  • Review eligibility limits, private access restrictions, Traffic Manager patterns, and whether a managed certificate fits the architecture.
  • Treat binding changes as production-impacting because a wrong hostname or thumbprint can break HTTPS immediately.
  • Use read-only webapp show and hostname commands before create, bind, delete, or certificate rotation commands.

What output tells you

  • hostNameSslStates shows which custom hostnames have bindings and whether SSL state is enabled.
  • thumbprint identifies the active certificate and helps compare portal, CLI, and change-record evidence.
  • expirationDate or related certificate fields show whether renewal monitoring needs urgent attention.
  • hostNames and custom domain validation output reveal whether App Service recognizes the DNS name.
  • HTTPS-only and minimum TLS fields show whether the app actually forces encrypted traffic after binding.

Mapped Azure CLI commands

App Service managed certificate CLI commands

direct-or-adjacent
az webapp show --name <app-name> --resource-group <resource-group> --query "{hostNames:hostNames,hostNameSslStates:hostNameSslStates,httpsOnly:httpsOnly}"
az webappdiscoverApp Hosting
read-only Microsoft docs
az webapp config hostname list --webapp-name <app-name> --resource-group <resource-group>
az webapp config hostnamediscoverWeb
read-only Microsoft docs
az webapp config ssl list --resource-group <resource-group> --query "[].{name:name,subjectName:subjectName,thumbprint:thumbprint,expirationDate:expirationDate}"
az webapp config ssldiscoverApp Hosting
read-only Microsoft docs
az webapp config ssl create --name <app-name> --resource-group <resource-group> --hostname <custom-domain>
az webapp config sslprovisionApp Hosting
mutating Microsoft docs
az webapp config ssl bind --name <app-name> --resource-group <resource-group> --certificate-thumbprint <thumbprint> --ssl-type SNI
az webapp config ssloperateApp Hosting
mutating Microsoft docs

Architecture context

In architecture reviews, I decide whether an App Service managed certificate is enough or whether the platform needs a stronger certificate pattern. Managed certificates work well for many public custom domains on individual apps. They are less ideal when teams need wildcard certificates, exportable private keys, centralized Key Vault lifecycle, complex edge routing, or strict private-only validation paths. I also check whether Front Door terminates TLS before App Service, whether the origin hostname must still be protected, and who owns DNS. The certificate choice belongs with ingress design, not as a last-minute portal step. I record that decision in the ingress design before production DNS changes.

Security

Security impact is direct because the certificate protects HTTPS traffic for a custom domain and reduces manual private-key handling. A managed certificate cannot be downloaded for application code, which can reduce secret sprawl. Still, teams must enforce HTTPS, use current TLS settings, validate custom domain ownership, restrict who can add bindings, and monitor unexpected hostname changes. DNS takeover risks remain if stale records point to deallocated apps. For sensitive systems, review whether managed certificates satisfy compliance needs or whether Key Vault-backed certificates, private endpoints, Front Door, or WAF integration are required. Certificate changes should be reviewed with the same care as public endpoint changes.

Cost

The certificate itself is free, but the surrounding architecture is not. Costs can come from the App Service Plan, custom domain registration, DNS hosting, Front Door or Application Gateway, WAF, monitoring, and operational work. A managed certificate can reduce renewal labor and avoid paid certificate purchases for simple domains. However, if the workload requires wildcard coverage, centralized certificate governance, private-key export, or edge termination, a paid certificate or Key Vault-backed pattern may be more cost-effective operationally. The cheapest certificate option is not cheapest if it causes renewal failures or emergency migration. Good fit analysis saves both certificate spend and after-hours incident labor.

Reliability

Reliability depends on successful renewal, valid DNS, correct custom domain mapping, and a TLS binding that stays attached. If validation requirements fail, a managed certificate can stop renewing and the next symptom may be browser errors. Operators should monitor expiration, binding status, DNS records, and platform notifications. Deployment slots, app moves, access restrictions, and traffic-manager patterns need extra review because they can change how the domain is validated or reached. Reliable TLS operations include renewal checks before freeze periods and documented fallback to an uploaded or Key Vault certificate. Synthetic HTTPS checks should fail loudly before customers report certificate warnings.

Performance

Performance impact is mostly about connection success and TLS termination rather than application throughput. A valid managed certificate lets clients establish HTTPS sessions without warnings, while an expired or missing binding creates immediate failures. TLS handshake performance depends on App Service, client behavior, routing path, and any edge service such as Front Door. Managed certificates do not optimize application code, cold start, or backend latency. Operators should measure end-to-end response time after binding changes, confirm redirects to HTTPS, and watch failed handshakes, browser errors, and synthetic availability tests. Certificate checks should be part of availability testing, not a separate afterthought.

Operations

Operators manage App Service managed certificates by verifying custom domains, creating certificates, binding them with SNI SSL, enforcing HTTPS, monitoring expiry, and reviewing failed renewal notices. Common work includes listing hostnames, checking DNS records, confirming thumbprints, replacing invalid bindings, and deciding when to use bring-your-own certificates instead. Runbooks should include app name, resource group, hostname, DNS owner, binding type, certificate thumbprint, expiry date, and escalation path. Fleet operations should inventory all App Service apps because one forgotten test app can still expose a public hostname. The practical goal is boring certificate renewals and no surprise browser warnings. Keep the DNS owner visible.

Common mistakes

  • Assuming the managed certificate secures a custom domain before a TLS binding has been created.
  • Creating restrictive private access patterns that later prevent certificate validation or renewal from succeeding.
  • Using managed certificates where a wildcard, exportable private key, Key Vault lifecycle, or edge certificate is required.
  • Leaving stale DNS records after deleting or renaming an App Service app, creating hostname takeover risk.
  • Monitoring only application health and missing certificate expiration, failed renewal, or hostname binding drift.