@Anmolgan81, Thanks for bringing this to our attention. Your questions have been shared with the content owner for further review.

@Anmolgan81 - the limitations for certificates are described in the App Service limitations section.

First move the web apps, then move the App Service certificate. You shouldn't need to delete the App Service certificate.

Any uploaded certificates need to deleted and then uploaded to the moved web app.

I haven't tested this, but it looks like the Key Vault needs to be in the same subscription as the web app.

His there anyway to do a poc?

Get Outlook for iOShttps://aka.ms/o0ukef

From: Tom FitzMacken notifications@github.com
Sent: Friday, May 11, 2018 3:09:07 AM
To: MicrosoftDocs/azure-docs
Cc: Anmol Ganju; Mention
Subject: Re: [MicrosoftDocs/azure-docs] How to move App Service Certificate? (#8390)

@Anmolgan81https://github.com/Anmolgan81 - the limitations for certificates are described in the App Service limitationshttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#app-service-limitations section.

First move the web apps, then move the App Service certificate. You shouldn't need to delete the App Service certificate.

Any uploaded certificates need to deleted and then uploaded to the moved web app.

I haven't tested this, but it looks like the Key Vault needs to be in the same subscription as the web app.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/8390#issuecomment-388194331, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AhHKpycmm9GXE5jm7n-D77nfSdsKHpSfks5txLN7gaJpZM4T5xDJ.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. IFI Technologies: www.ifi.tech

What do you mean by poc?

I just want to make sure everything goes right, thats why I want to check this myself first. Does this possible.

Get Outlook for iOShttps://aka.ms/o0ukef

From: Tom FitzMacken notifications@github.com
Sent: Friday, May 11, 2018 8:48:12 PM
To: MicrosoftDocs/azure-docs
Cc: Anmol Ganju; Mention
Subject: Re: [MicrosoftDocs/azure-docs] How to move App Service Certificate? (#8390)

What do you mean by poc?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/8390#issuecomment-388395152, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AhHKp3XnAFKvin2fczPeG8ZGuBdbHobgks5txau0gaJpZM4T5xDJ.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. IFI Technologies: www.ifi.tech

Yes, I would highly recommend creating an environment that duplicates what you are trying to move, and then testing the move.

please-close

But How could I test this out are duplicate certificate is possible to make ??

Get Outlook for iOShttps://aka.ms/o0ukef

From: Tom FitzMacken notifications@github.com
Sent: Wednesday, May 16, 2018 12:23:07 AM
To: MicrosoftDocs/azure-docs
Cc: Anmol Ganju; Mention
Subject: Re: [MicrosoftDocs/azure-docs] How to move App Service Certificate? (#8390)

Yes, I would highly recommend creating an environment that duplicates what you are trying to move, and then testing the move.

please-close

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/8390#issuecomment-389274870, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AhHKpzXBxwQ7rYy5Wl_4s4Odo8sTiTsmks5tyyQTgaJpZM4T5xDJ.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. IFI Technologies: www.ifi.tech

Your best options are to either work directly with Azure Support, or look at the App Service Certificate documentation. I see that you can create a local copy of the certificate but I am not familiar enough with App Service Certificates to tell you how that copy can be used.

@Anmolgan81 if you do not have an Azure support contract, my team is able to setup a one-time support request for this specific issue. Let me know if this is needed and I will work with you offline to get this in front of our support team.

@femsulu, I just want to perform a POC on moving an App service certificate linked with the webapps and uploaded app certificate also linked with the web app across the subscription, if you can post some screenshots when you performed or either post me a screen video performing this will be helpfull. Or if you want me to have a quick meeting with you where you can show me this, it will benefit me as well!

@Anmolgan81, I am yet to test this scenario but will try in my test environment and update you in the next 24 hours.

Sure do let me know how did it go.

Regards,
[1512717838432_download.png]

Anmol Ganju | IFI Technologies
Mobile: +91-90-826-13399
Email: anmol.[email protected]anmol.ganju@ifi.tech| http://ifi.techhttp://ifi.tech/

From: femsulu-MSFT notifications@github.com
Sent: 17 May 2018 13:40:43
To: MicrosoftDocs/azure-docs
Cc: Anmol Ganju; Mention
Subject: Re: [MicrosoftDocs/azure-docs] How to move App Service Certificate? (#8390)

@Anmolgan81https://github.com/Anmolgan81, I am yet to test this scenario but will try in my test environment and update you in the next 24 hours.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/8390#issuecomment-389782480, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AhHKpxTS_L_IJu2dt1k5k36ZxDwvSFs2ks5tzTCDgaJpZM4T5xDJ.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. IFI Technologies: www.ifi.tech

@Anmolgan81 You will need to delete the binding and delete the app service certificate from any applications that are in use. 3rd party certificates also need to have their bindings and certificates deleted from the app as well.

Delete the binding:

Then delete the certificate from the web app:

In regards to the move, you must move all web apps that are contained within the App Service Plan.

1. Select all Web Apps that are running on the App Service Plan
2. Select the App Service Plan
3. Select Microsoft.web/certificates
4. Select Key vault
5. Select App Service Certificate

Please make sure you have copies of your 3rd party certificates ready to upload for when the move completes.

Also, please note that the move is validated before you start it. If there are any issues, the validation will fail and your resources will stay in place. You can then review the error and make any adjustments as necessary and retry the move.

@Anmolgan81, Hope @BryanTrach-MSFT 's steps was helpful. Don't hesitate to ping if you have any questions. We will now close this issue.

So the binding of app service certificate will also needed to be removed?
Get Outlook for iOShttps://aka.ms/o0ukef

From: femsulu-MSFT notifications@github.com
Sent: Friday, May 18, 2018 6:24:31 AM
To: MicrosoftDocs/azure-docs
Cc: Anmol Ganju; Mention
Subject: Re: [MicrosoftDocs/azure-docs] How to move App Service Certificate? (#8390)

Closed #8390https://github.com/MicrosoftDocs/azure-docs/issues/8390.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/8390#event-1633257506, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AhHKp816n122yr6zIkGqYyi9dawWJcfHks5tzhvHgaJpZM4T5xDJ.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. IFI Technologies: www.ifi.tech

Hi @femsulu

I just have 1 question, suppose that the binding of the app service certificate is present inside of the web app then that also needs to be removed in order to move?? or we can move the app service with that binding??

Or if we delete the binding does that also deletes the app service certificate???

Please clarify on this.

Hi @femsulu
Can anyone clarify for my query above on this?? or should I raise a new issue query for this??

@Anmolgan81 You will need to delete both the binding and the certificate stored in the web app. The app service certificate does not need to be deleted from the subscription, just the web app.

@BryanTrach-MSFT

I think you didnt get my question.

I am not talking about the app service certificate to be deleted, Am talking about the thumbprint of the app service certificate that is linked inside the private certificate of the webapp, then that also needed to be deleted??

@BryanTrach-MSFT @femsulu @tfitzmac
If you can provide an answer to my post above it will be really helpful, I don't want to get hit by any roadblocks when performing migration, and that will increase the downtime in figuring out the issue to the problem, I request you to provide me with a valid confirm procedure so that I can execute and get it over with as well.

@Anmolgan81 We shared with you the step by step process including screenshots on how to perform the process. It's not clear what your question specifically is about. We've updated our process to use verbage that better aligns with the portal so hopefully it's a little more clear. If you still have questions about the below process, please quote the specific step that you have questions on.

You will need to delete the binding and delete the associated private certificate from any web applications that are in use. 3rd party certificates also need to have their bindings and certificates deleted from the app as well.

Delete the binding:

Then delete the private certificate from the web app:

In regards to the move, you must move all web apps that are contained within the App Service Plan.

1. Select all Web Apps that are running on the App Service Plan
2. Select the App Service Plan
3. Select Microsoft.web/certificates
4. Select Key vault
5. Select App Service Certificate

Please make sure you have copies of your 3rd party certificates ready to upload for when the move completes.
Also, please note that the move is validated before you start it. If there are any issues, the validation will fail and your resources will stay in place. You can then review the error and make any adjustments as necessary and retry the move. This should prevent you from running into any roadblocks and minimize your downtime.

Can you tell me what do you mean by step 3 Select Microsoft.web/certificates

What certificates needed to be selected in this case??

Get Outlook for iOShttps://aka.ms/o0ukef

From: Bryan Trach notifications@github.com
Sent: Thursday, June 21, 2018 2:08:38 AM
To: MicrosoftDocs/azure-docs
Cc: Anmol Ganju; Mention
Subject: Re: [MicrosoftDocs/azure-docs] How to move App Service Certificate? (#8390)

@Anmolgan81https://github.com/Anmolgan81 We shared with you the step by step process including screenshots on how to perform the process. It's not clear what your question specifically is about. We've updated our process to use verbage that better aligns with the portal so hopefully it's a little more clear. If you still have questions about the below process, please quote the specific step that you have questions on.

You will need to delete the binding and delete the associated private certificate from any web applications that are in use. 3rd party certificates also need to have their bindings and certificates deleted from the app as well.

Delete the binding:
[image]https://user-images.githubusercontent.com/20250350/41683113-94d2fe16-748e-11e8-852a-15595d044250.png

Then delete the private certificate from the web app:
[image]https://user-images.githubusercontent.com/20250350/41683146-aefce77a-748e-11e8-8989-a9571597f7ae.png

In regards to the move, you must move all web apps that are contained within the App Service Plan.

1. Select all Web Apps that are running on the App Service Plan
2. Select the App Service Plan
3. Select Microsoft.web/certificates
4. Select Key vault
5. Select App Service Certificate

Please make sure you have copies of your 3rd party certificates ready to upload for when the move completes.
Also, please note that the move is validated before you start it. If there are any issues, the validation will fail and your resources will stay in place. You can then review the error and make any adjustments as necessary and retry the move. This should prevent you from running into any roadblocks and minimize your downtime.

[image]https://user-images.githubusercontent.com/20250350/41683222-dbd498e2-748e-11e8-9ff0-b4dc89a2c02c.png

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/8390#issuecomment-398888615, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AhHKp5aFG_Ihx1NZkklSnODk-BQqyg2Aks5t-rLOgaJpZM4T5xDJ.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. IFI Technologies: www.ifi.tech

Microsoft.web/certificates is the resource type for 3rd party certificates.

@tfitzmac You havent responded to the full question that I have asked.

Do the app services move if we move it with the binding of APP SERVICE CERTIFICATE??

Please provide the answer to above.

@tfitzmac deleting the app service certificate from the webapps does not delete the app service certificate right??

@tfitzmac @BryanTrach-MSFT Thanks for all your help but i never deleted any certificate except the private ones, and moved all the webapps without moving the app service certificate, and at last I moved the app service certificate and everything was working good, just have to upload the private certificate, just writing this if it can help anyone viewing this post.

@Anmolgan81 No, the move will fail if you try to move a web app that contains a binding. You'll need to remove the binding first.

@BryanTrach-MSFT
I have performed the move operation with the binding and it passes the validation with the binding so am not sure what you are talking about.

I do not have screenshots of this if I did I would have posted here as well. But thats the only method I followed in order to get everything working.
Get Outlook for iOShttps://aka.ms/o0ukef

From: Bryan Trach notifications@github.com
Sent: Wednesday, June 27, 2018 5:44:59 AM
To: MicrosoftDocs/azure-docs
Cc: Anmol Ganju; Mention
Subject: Re: [MicrosoftDocs/azure-docs] How to move App Service Certificate? (#8390)

@Anmolgan81https://github.com/Anmolgan81 No, the move will fail if you try to move a web app that contains a binding. You'll need to remove the binding first.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/8390#issuecomment-400502405, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AhHKpwPVUP8eg2DZSqU2a4Nr182rgCGeks5uAs6DgaJpZM4T5xDJ.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. IFI Technologies: www.ifi.tech

@BryanTrach-MSFT I'm having a problem with enabling the SSL binding for my web app.

Could you please see the below link
https://stackoverflow.com/questions/53094316/azure-no-certificates-match-the-selected-hostname-even-it-has-the-certificate

I've purchased the SSL Certificate from GoDaddy (3rd part).

My question is
Do I need to export the certificate before moving my WebApp, then upload it manually after moving the web app?

@jayendranarumugam If you purchased the cert directly from GoDaddy, you will need to delete the SSL binding AND delete the certificate.

Under the SSL settings blade, you'll need to delete all SSL bindings. Then you'll need to go under the private certificates tab and delete all certificates from the web app. Please ensure that you have a copy of your cert in .pfx format to upload after the move is complete.

Once the above items are met, you should be able to move your app and then upload the SSL cert under the private certs tab. You may need to close and reopen your browser as the SSL settings blade leverages a large amount of browser cache. From here, proceed with creating the SSL binding.

@jayendranarumugam Please note that the above thread is about App Service Certs, which have different requirements than 3rd party certs. My most recent reply to you should allow you to move your site if you're using a 3rd party cert.

@BryanTrach-MSFT Thanks for your quick response

@BryanTrach-MSFT Another question from your response that is "How can we export that cert in .pfx. Is there is any PowerShell scripts? Or this can be done within the GoDaddy site?

@jayendranarumugam I believe that GoDaddy provides the SSL cert in the .crt file format. There are a couple of methods out there that allow you to convert a .crt file to a .pfx file. You can attempt to load the cert into IIS on Windows Server and then export the cert from IIS as a .pfx.

There are also tools such as DigiCert's tool. Please note this is a 3rd party tool. https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm

@BryanTrach-MSFT I've tried both way, but got failed, the reason is the .crt doesn't contain any private key associated with it. Do you know how can I proceed with?

@jayendranarumugam I am sorry to hear that you are encountering these errors. Since the methods I have suggested haven't worked for you, I would suggest you reach out to GoDaddy support and they should be able to assist you with converting their cert from .crt to .pfx.

If you need assistance once you have the .pfx file, please reply back with your concerns.

so im running into an issue with this. i just read through this thread and found a TON of false information.

For instance:
@tfitzmac
"Microsoft.web/certificates is the resource type for 3rd party certificates."

not always true: if you have an app service certificate wildcard and assign a cname and name to an app service - you get a resource of this type that is ABSOLUTELY a microsoft resource and will block these moves.

Very confusing.

i resolved my issue - so im not going to go bonkers with this.

Apologies for necroing this issue, but this is an absurd limitation. Moving something on the control plane should not affect the data plane, and vice versa. Removing SSL bindings on a web app essentially breaks it. For a large number of web apps hosted on the same app service plan, you may be looking at hours of downtime while the apps a migrated to a different resource group, and then re-establishing SSL bindings afterwards.

What is the reason for this limitation?

I know this isn't exactly the original issue - but I just did the following QA test successfully:

• Move Windows appservice plan + 2 app services + pfx DigiCert certificate to another subscription.
• Create new appservice plan into the same rg as the resources you just moved.
• Move the two app services to the new plan
• Restart the apps for good measure

Custom domains are still working.

To and from

            "type": "Microsoft.Web/sites",
            "apiVersion": "2018-11-01",

            "type": "Microsoft.Web/serverfarms",
            "apiVersion": "2018-02-01",