Share via

Attempt to create App service managed certificate fails repeatedly

Joe K 20 Reputation points
2026-06-23T13:26:41.3633333+00:00

I have created a new flex consumption function app to handle traffic to deprecated application domains. In migrating these domains from other app services to this new function app, the first three domains I migrated worked flawlessly - I removed SSL bindings and custom domains from existing app service, then updated DNS and re-created custom domain and ASMC bindings on this new function app successfully. However, now on subsequent domains (I have tested 2 so far) I can move/recreate the custom domain to the new function app, but creating the new ASMC fails with the message:

"Failed to create App Service Managed Certificate for <subdomain>.<domain>.com due to error: Pending managed certificate failed: Certificate creation failed unexpectedly for canonical name <subdomain>.<domain>.com. Contact support for assistance."

Again, I have attempted this now with multiple domains over the course of 18 hours with the same resulting error.

Azure Functions
Azure Functions

An Azure service that provides an event-driven serverless compute platform.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rakesh Mishra 9,880 Reputation points Microsoft External Staff Moderator
    2026-06-23T14:37:10.45+00:00

    Hi @Joe K ,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    It looks like you’ve run into the site-scoped certificate limit on a Flex Consumption function app. In the Flex Consumption (Linux) hosting model, all certificates you bind including free App Service Managed Certificates (ASMC) count toward a per-app limit of three private certificates. Since you successfully created ASMCs for your first three domains, any additional ASMCs will fail with that “pending managed certificate failed unexpectedly” error once you hit the cap.

    Here’s what you can do:

    1. Clean up existing certificates
      • In the Azure portal, go to your Function App → Settings → Certificates.
      • You’ll see up to three “Private certificates” listed (this includes your ASMCs).
      • Remove any certificates you no longer need to free up slots.
    2. Recreate the ASMC
      • Once you have fewer than three private certificates, go back to Settings → Custom domains.
      • Select Add custom domain, choose App Service Managed Certificate, and bind the certificate. It should now issue successfully.
    3. Consider longer-term options If you need more than three managed certificates on one app, you can:
      • Consolidate subdomains under a single wildcard certificate (purchased or via a front-end like Azure Front Door).
      • Spread domains across multiple function apps.
      • Migrate to an App Service Plan where site-scoped certificate limits don’t apply.
    4. (Optional) Double-check DNS and public accessibility • Ensure your CNAME or A records and the “asuid” CNAME for domain validation are correct and propagated. • Confirm there are no IP restrictions or private endpoints blocking DigiCert’s HTTP token validation.

    Hope that helps you get past the cap and bind your next domain without a hitch!

    References:

    Note: This content was drafted with the help of an AI system.

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.