0

I have a weird situation going on in a Azure web app. I have multiple subscriptions. In my development subscription in Azure, I have deployed the same web app and renewed the certificate manually in the web app.

When I go to ssllabs to check my certificate chain it is showing that the certificate in path 1 and path 2 is correct and send by server.

The same steps for renewing the certificate in my test subscription and same web application (same size etc. and deployment) is giving in Path 2 the warning "extra download" for the sectigo root certificate. Also creating manually the web app and attaching the certificate is giving the same result.

Two same web apps. Two same certificates (I am using a wildcard certificate) The import of the certificate is done without issues.

I am not sure if this question belongs here, but I have no idea where to look. Created the pfx file multiple times with the intermediate certificates, did a new import of the certificate, but in the test subscription it is not importing everything from the certificate and in the development subscription it does (at least it looks like it does)

I am not using an azure gateway for this application.

Improve this question
2
  • Rebuild your PFX file to include the full certificate chain (leaf + intermediates) before uploading to Azure Web App. Commented Jun 16 at 11:51
  • @dasari-kamali hello, yes we did that. It is a very strange situation in my opinion. i did an import of the new builded certificate in the development subscription and it was showing the correct chain. when I import the same certificate in the test subscription it is saying in path 2 "extra download" which means that it is missing in the chain. I did a test in the production subscription (just now) and there it works also :) very strange situation Commented Jun 16 at 11:58

1 Answer 1

Reset to default
0

The issue here is not with the certificate itself but with how Azure App Service delivers the certificate chain in your Test subscription. When SSL Labs shows “extra download” in Path 2, it means the server is not sending the complete chain to clients, which can lead to SSL warnings or failures in some browsers or devices.

Even if the same .pfx file works in Development and Production, Azure App Service behavior can differ slightly across subscriptions or regions due to differences in platform infrastructure. Azure does not automatically complete or correct the certificate chain — it only serves what’s included in the .pfx file.

To resolve this:

Go to Azure Portal > App Services > [your Test web app] > TLS/SSL settings > Private Key Certificates (.pfx)
Delete the currently uploaded certificate
Re-upload the .pfx file, ensuring it includes the complete certificate chain (wildcard certificate + intermediate certificates)
Then go to Custom Domains > select your domain > reapply the SSL binding by selecting the newly uploaded certificate
Restart the web app via Overview > Restart

To confirm the .pfx file includes everything, you can recreate it using OpenSSL:

openssl pkcs12 -export -out fullchain.pfx -inkey your-domain.key -in your-domain.crt -certfile CA-bundle.crt

  • your-domain.key = your private key

  • your-domain.crt = your wildcard certificate

  • CA-bundle.crt = must include all intermediate certificates in correct order (from CA)

If the issue still appears in SSL Labs after following the above steps, try creating a new App Service in the same subscription and region, upload the same .pfx, and bind it.
If the SSL chain works properly in the new app, then the problem is tied to the original app’s configuration or how it processed the certificate during the first import.

Reference:

Bind a certificate to your custom domain – Azure App Service

Optional: In the Azure Portal, you can view and manage the certificate from:
TLS/SSL Settings > Private Key Certificates (.pfx)
And update your domain binding under:
Custom Domains > SSL bindings

This process ensures Azure serves the full certificate chain and removes the "extra download" warning in most SSL validation tools.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thank you for your detailed answer. I already did all those steps. Unfortunately, none of them fixed the issue. It looks like some "caching" in Azure or something else.
Try scaling the App Service Plan up one tier and then back down to force a new worker stamp (which clears cached SSL bindings). Alternatively, move the web app into a fresh App Service Plan in the same region and reapply the certificate to reset the backend cache.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.