Share via

Confirming Certificate Usage and Migration Behavior in Azure Cloud Services (Extended Support)

David Snipp 0 Reputation points
2025-08-06T16:12:20.8633333+00:00

Hello,

We are using Azure Cloud Services (extended support) and would like to confirm the correct approach to continue using SSL certificates following a migration from classic cloud services.

Currently, our service is functioning using the following certificate configuration in our .cscfg file:

<Certificates>
  <Certificate name="gccert" thumbprint="24700F2264EA779CBB88C1741F9FF53B583179A6" thumbprintAlgorithm="sha1" />
  <Certificate name="gccert-intermediate" thumbprint="7EDC376DCFD45E6DDF082C160DF6AC21835B95D4" thumbprintAlgorithm="sha1" />
  <Certificate name="gccert-ca" thumbprint="B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E" thumbprintAlgorithm="sha1" />
</Certificates>

This setup is currently working in production.

However, due to the automated migration from classic cloud services to extended support, these certificates are now stored as secrets in the resource group. Because of this, the Azure portal UI does not recognize them during deployment or configuration updates, and reports that the thumbprints do not match any uploaded certificates — which prevents us from updating our service configuration.

To address this, we are preparing to upload a single .pfx file containing:

  • The leaf certificate

Its associated private key

The intermediate and root certificates bundled in the chain

We plan to reference this new certificate in our configuration like this:

ServiceConfiguration.cscfg:

<Certificates>
  <Certificate name="gccert-fullchain" thumbprint="68A051D1E85E4AEB6753D5D0CF51E808B5A61014" thumbprintAlgorithm="sha1" />
</Certificates>

Can you please confirm:

That this approach (uploading a .pfx with the full chain) is fully supported for Azure Cloud Services (extended support)?

That referencing only a single certificate in the config is sufficient for chain validation by Azure and the hosted OS?

That this is the recommended solution to resolve issues caused by the migrated secrets no longer being editable in the portal?

Thank you for your help.

Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 22,806 Reputation points Volunteer Moderator
    2025-08-07T12:32:19.47+00:00

    Hello David Snipp,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to confirm certificate usage and migration behavior in Azure Cloud Services (Extended Support).

    Regarding your questions:

    Is uploading a .pfx with the full chain supported?

    Yes, uploading a single .pfx file that includes:

    • The leaf certificate
    • Its private key
    • The intermediate and root certificates bundled in the chain is fully supported for Azure Cloud Services (extended support).

    Is referencing only one certificate in the config sufficient for chain validation?

    Yes, referencing a single certificate in your .cscfg file is sufficient. Azure and the hosted OS will validate the full chain as long as the .pfx file contains the complete certificate chain. You do not need to separately reference intermediate or root certificates in the configuration

    https://learn.microsoft.com/en-us/troubleshoot/azure/cloud-services/extended/availability/update-or-change-certificate-used

    Is this the recommended solution to resolve thumbprint mismatch issues post-migration?

    Yes, this is the recommended and supported solution. After migration, certificates are stored as secrets in the resource group and are no longer editable via the Azure portal UI. Uploading a new .pfx to Azure Key Vault, and referencing its thumbprint in the .cscfg file, resolves the issue of thumbprint mismatches and allows configuration updates to proceed smoothly

    https://learn.microsoft.com/en-us/azure/cloud-services-extended-support/certificates-and-key-vault

    The above links provided details and more insight to your questions. However, if you would like step-by-steps to configure your certificate from preparation to deploy and monitoring. Use the same links for more details:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.