![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 82%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENT%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello nishino-ti,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are having error in Key Vault configuration for Azure App Service certificate.
The transient Azure service errors like this typically resolve within 24-48 hours (as occurred here). For immediate needs, use third-party certificates as a workaround, but always revoke failed Azure orders to ensure refund eligibility.
Things you can do for diagnosis are the followings:
- Check historical Azure status for App Service Certificates or Key Vault in your region on 2025-07-03: https://status.azure.com/status/history you can read more here https://learn.microsoft.com/en-us/azure/service-health/service-health-overview
- Use Activity Log search to validate certificate order metadata:
Look for statusMessage containing InternalExecutionError and check this link https://learn.microsoft.com/en-us/troubleshoot/azure/azure-resources/troubleshoot-deployment-activity-logs for more details.AzureActivity | where OperationName == "Microsoft.CertificateRegistration/certificateOrders/create" | where TimeGenerated >= datetime(2025-07-03) and TimeGenerated <= datetime(2025-07-04) | project Status, Caller, Properties - Temporary failures occur when Azure's regional service broker loses Key Vault mapping, so check for missing vault references in certificate order:
If keyVaultId or keyVaultSecretName is null during failure window > Azure bug. Check this link https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-ssl-certificates#certificate-creation-fails for more details.az appservice certificate show --name <CertificateName> --resource-group <RG> - For refund process with revocation
- You have to revoke unused certificate because it is required before refund approval:
Check this link - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate#cancel-a-certificate-order for more details.az appservice certificate delete --name <FailedCertificate> --resource-group <RG> - You can request refund via Azure Support https://azure.microsoft.com/support/legal/sla/app-service/v1_5/
- You have to revoke unused certificate because it is required before refund approval:
NOTE:
You can prevent this from happening in the future by:
- Directly import certificates to Key Vault first, then bind to App Service, this is a guide from Micrsoft - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate#import-a-certificate-from-key-vault
- Test certificate deployment in staging slot before production - https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.