Azure App Service customers are facing important TLS certificate changes in early 2026 as industry-wide rules from browser vendors and the CA/Browser Forum take effect, and Microsoft has outlined how this will impact both free and paid Azure App Service certificates. Most tenants will not need to take any action, but administrators who pin certificates or use them for mutual TLS (mTLS) must make changes before the new chains and policies roll out to avoid outages.
see also: How to Switch Out of Windows 11 in S Mode (A Quick and Easy Step‑by‑Step Guide)
What’s happening to Azure App Service Certificates in early 2026
Microsoft is warning Azure App Service customers that new browser and CA/B Forum rules will change how TLS certificates are issued and how long they remain valid, starting in early 2026. These changes affect both App Service Managed Certificates (ASMC, the free DigiCert-issued option) and App Service Certificates (ASC, the paid GoDaddy-issued product), bringing them into alignment with updated industry standards.
The big drivers behind this shift are decisions from major browser programs, such as Chrome, and policy updates coming from the CA/B Forum that govern how public CAs can operate. In practice, that means new certificate chains, removal of client authentication usage from public TLS certs, and a hard cap on validity duration that all providers must follow, not just Microsoft’s partners.
Who actually needs to care
Microsoft’s guidance is clear that most customers will see these changes happen automatically, with zero downtime and no manual work required. If you simply use Azure App Service certificates for standard HTTPS on your sites and APIs and you do not pin certificates and do not use them for client authentication, you are in the “no action required” group.
The people who absolutely must pay attention are:
-
App Service administrators who pin TLS certificates or chains in code, configuration, reverse proxies, or clients.
-
Security and compliance teams who have implemented strict TLS pinning as part of their controls.
-
Teams who currently use App Service certificates for mutual TLS (mTLS) and rely on the client authentication EKU for that purpose.
If you fall into any of those categories, you need a concrete plan before the new chains and policies land in 2026.
Pertinent technical changes: chains, EKU, validity
From a technical perspective, three main changes are coming to Azure App Service certificates in 2026. Each change has a slightly different impact depending on whether you use ASMC or ASC.
First, certificates will start chaining to new intermediate and root CAs to remain trusted under updated browser root store requirements. If you have hard‑coded or pinned specific certificate chains, this will break trust unless you remove or relax those pins in advance. Microsoft recommends following its certificate pinning best practices, which emphasize avoiding strict pinning to individual leaf or intermediate certificates that are expected to rotate.
Second, newly issued certificates will no longer include the client authentication Extended Key Usage (EKU), which means they are no longer suitable as identity credentials for mTLS scenarios. This aligns with Chrome’s root program expectations that public TLS certificates should be used only for server authentication, not for client auth. If you currently use App Service certificates for mutual TLS, you must move to an alternative authentication mechanism or use a different type of certificate for client auth.
Third, the maximum validity period of publicly trusted TLS certificates is being shortened to around 200 days, in line with CA/B Forum guidance. App Service Managed Certificates are already compliant with this validity window, so nothing changes from your perspective. For paid App Service Certificates, Microsoft will automatically issue two overlapping certificates so that customers who purchased a full year of coverage still get continuous protection without gaps or extra charges.
Microsoft has provided a rough timeline so Azure customers can plan ahead and avoid last‑minute scrambles. There are two key phases: mid‑January 2026 for ASMC and March 2026 and beyond for ASC.
Starting in mid‑January 2026, App Service Managed Certificates will begin migrating to the new certificate chain and will stop supporting the client authentication EKU entirely. Any environments that pinned these free certificates or their older chains must remove pinning before this window, and any mTLS flows that depend on their client auth capabilities must be migrated to another solution.
Beginning in March 2026, App Service Certificates will follow suit: their validity will be shortened to the new maximum period, they will move to the updated chain, and they will also drop client authentication EKU support. Again, systems that pin these certificates need to remove or refactor that pinning, and any mTLS scenarios must be re‑engineered around alternate authentication mechanisms before that date.
Concrete actions for Azure admins
Microsoft has laid out a simple checklist to help organizations decide whether they need to act and what to do first. The starting point is to inventory your use of App Service certificates across environments and confirm whether they are pinned anywhere or used for client authentication.
If you confirm that there is no pinning and no use of these certs for mTLS, you are in good shape: the platform will handle the changes, and you can treat this announcement as background information. If you do find pinning, the next step is to remove hard-coded certificate or chain pinning well ahead of the change dates, replacing it with more flexible trust mechanisms like pinning to a set of public keys or relying on standard CA trust where appropriate.
For customers using App Service certificates as client certificates in mTLS setups, the guidance is to transition to an alternative authentication model. That might mean moving to private PKI‑issued client certificates that are not subject to public CA constraints, or using other identity options supported by Azure App Service’s mutual TLS configuration and Azure AD–based authentication. Microsoft’s documentation covers how to configure TLS mutual authentication on App Service and provides links to DigiCert’s own notices about the EKU change, which can help in planning.
Why this matters beyond Azure
Although the headline here is “Azure App Service certificates are changing,” the deeper story is that this is an industry shift, not a one‑off Microsoft decision. Google Chrome’s root store policies and CA/B Forum rules apply to all public certificate authorities, which is why DigiCert and GoDaddy are changing their issuance behavior and EKU usage in the first place.
That means organizations running workloads on other clouds or using certificates from other public CAs will likely see similar impacts, even if the exact dates and automation details differ. Microsoft explicitly recommends that customers also check with their other CAs to confirm how and when they are adopting the same validity, EKU, and chain changes. For security and compliance teams, this is a good trigger to review certificate lifecycle policies, mTLS designs, and pinning strategies across all platforms, not just Azure App Service.
Recent Posts
- Celebrate the Holidays with EA Play’s Holiday Picks: 10 Days of Gaming Magic for Xbox Game Pass Ultimate Members
- Azure App Service Certificates Are Changing in Early 2026: What Admins Need to Do Now To Avoid Costly Outages
- How to Switch Out of Windows 11 in S Mode (A Quick and Easy Step‑by‑Step Guide)
- How to Access GPT‑5.2 in Microsoft 365 Copilot Chat (Boost Quick Response vs Smarter Think Deeper)
- Next Week on Xbox (Dec 15–19): Five Nights at Freddy’s: Secret of the Mimic, Fort Solis, and More Fun New Games
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
