Preparing for Industry-wide TLS Certificate Changes in Azure App Service (2026 Update)
YutangLin explains how upcoming industry-wide requirements will impact TLS certificate issuance and management in Azure App Service, including steps administrators should take to maintain compliance and service reliability.
Preparing for Industry-wide TLS Certificate Changes in Azure App Service (2026 Update)
Executive Summary
Beginning in early 2026, the CA/B Forum and major browser vendors will enforce new standards for TLS/SSL certificate issuance and validation. Azure App Service will align with these changes for both App Service Managed Certificates (ASMC, DigiCert-issued, free) and App Service Certificates (ASC, GoDaddy-issued, paid).
Who Should Read This?
- App Service administrators
- Security and compliance teams
- Anyone managing TLS certificates in Azure
Quick Reference: What’s Changing & Required Actions
| Topic | ASMC (Managed, free) | ASC (GoDaddy, paid) | Required Action |
|---|---|---|---|
| New Cert Chain | New chain (no action unless pinned) | New chain (no action unless pinned) | Remove certificate pinning if used |
| Client Auth EKU | Not supported (no action unless cert used for mTLS) | Same | Transition from mTLS before cut-off |
| Validity | No change (already compliant) | Two overlapping certs per year | No action (automatic process) |
No action is required for most users. Only those who pin certificates or use them for mTLS (client authentication EKU) must act.
Timeline of Key Dates
| Date | What Changes | Action Needed |
|---|---|---|
| Mid-Jan 2026+ | ASMC migrates to new chain; no client auth EKU | Remove certificate pinning; migrate from mTLS authentication if used |
| Mar 2026+ | ASC validity shortened; migrates to new chain; no client auth EKU | Remove certificate pinning; migrate from mTLS authentication if used |
Actions Checklist
For All Users
- Review usage of App Service certificates.
- If you don’t pin certificates or use them for mTLS, you don’t need to act.
If You Pin Certificates (ASMC or ASC)
- Remove all pinning before respective change dates to avoid disruptions.
- Reference: Azure App Service Best Practices – Certificate pinning
If You Use Certificates for Client Authentication (mTLS)
- Switch to another authentication method before the change dates, since client authentication EKU will no longer be supported.
- References:
Details & Rationale
Why Are These Changes Happening?
Industry and browser mandates require certificate chains to improve trust and security. These changes apply across all certificate authorities.
What’s Changing?
1. New Certificate Chain
- All certificates issued on Azure App Service will come from new chains to maintain browser trust.
- Impact: Remove any pinning, or risk disruption of your apps.
2. Removal of Client Authentication EKU
- New certificates won’t support client auth EKU. If you rely on mTLS, you must migrate auth methods.
- Driven by Chrome’s root program and broader industry policies.
3. Shortened Certificate Validity
- Maximum validity will be 200 days. ASMC is already compliant; ASC will auto-issue two overlapping certificates per paid year.
FAQ
- Loss of coverage due to validity? No. ASC will issue two certs to cover your purchased term.
- DigiCert/GoDaddy only? No—these changes are industry-wide.
- Other CAs affected? Yes. Ask your CA for details.
- Act today? No action if you don’t pin or use for mTLS.
Glossary
- ASMC: App Service Managed Certificate (free, DigiCert)
- ASC: App Service Certificate (paid, GoDaddy)
- EKU: Extended Key Usage
- mTLS: Mutual TLS (client certificate authentication)
- CA/B Forum: Certification Authority/Browser Forum
Additional Resources
- Azure Security Fundamentals: Managed TLS
- Azure App Service Best Practices – Certificate pinning
- Set Up TLS Mutual Authentication
- DigiCert Root and CA Updates
Feedback & Support
If you have questions, visit Microsoft’s official support channels or Microsoft Q&A.
This post appeared first on “Microsoft Tech Community”. Read the entire article here