We are unable to persist CA Certificates in our API Management instance

Question

We are unable to persist CA Certificates in our API Management instance

Corey Stewart 0

We have attempted to upload both self-signed and publicly signed certificates under CA Certificates manually via the Azure Portal and programmatically via AZ CLI. The upload appears successful initially; however, the certificates disappear from the APIM instance within minutes after upload without visible error.

This issue is isolated to one particular instance in our Staging subscription. In contrast, our Development APIM instance (in a different subscription) accepts the same certificates without issue, and they persist as expected.

We have verified:

Certificates are properly structured (valid KeyUsage, ExtendedKeyUsage, SANs, and expiration times)

Correct password protection on PFX bundles (where applicable)

Azure Activity Logs show no failure events, only success

No relevant Resource Health warnings

Please advise on possible configuration or service issues preventing CA Certificate persistence. Both instances are using the Developer SKU.

Further details of the APIM instance with this issue:

westus2 region

Multiple APIs (Microsoft.ApiManagement/service/apis)
Backends for container app and on-premise APIs

API Version Sets for version management

Network Security Group + Private DNS Zone for Azure Container Apps integration

NAT Gateway to fix the outbound IP address

Shireesha Eeraboina 2,825 Reputation points Microsoft External Staff Moderator

2025-04-29T04:33:32.3933333+00:00
Hi Corey Stewart,

It seems like you are facing an issue with persisting CA Certificates in your API Management (APIM) instance in a specific subscription. The certificates disappear from the APIM instance within minutes after upload without any visible error. This issue is isolated to one particular instance in your Staging subscription, while your Development APIM instance in a different subscription accepts the same certificates without any problems.

Here are some possible reasons and steps you can take to troubleshoot the issue of CA Certificate persistence in your APIM instance:

Ensure that the Key Vault where the certificates are stored is properly configured and accessible by the APIM instance. Make sure the necessary access policies are set up in the Key Vault to allow the APIM instance to retrieve the certificates.

Double-check the expiration dates of the certificates. If a certificate expires shortly after being uploaded, it may disappear from the APIM instance.

Check the Key Vault access policies to ensure that the correct permissions are granted to the APIM instance to retrieve and use the certificates.

Review the activity logs of the Key Vault to see if there are any relevant events related to the disappearance of the certificates. This may provide more insights into what is happening

Verify if there are any service limitations or restrictions in the Staging subscription that could be affecting the persistence of CA Certificates in the APIM instance

Try uploading different CA Certificates to see if the issue persists with all certificates or if it is specific to certain certificates.

For further clarification, please refer to these documents:

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates

https://stackoverflow.com/questions/68305684/how-to-manage-azure-api-management-ca-certificates-through-arm-templates

https://stackoverflow.com/questions/56110473/api-management-client-certificate-authentication-fails-when-values-are-not-hard

By following these steps, you can troubleshoot the issue of CA Certificate persistence in your APIM instance and hopefully resolve the issue. If you need further assistance, feel free to provide more details for additional help.
Corey Stewart 0 Reputation points

2025-04-29T14:45:21.1733333+00:00

We recreated the resources, and it works fine now. The main issue, is that the cert will dissappear and leave no errors or warnings, as I said. This only happens on one instance and not another with multiple certs.
Shireesha Eeraboina 2,825 Reputation points Microsoft External Staff Moderator

2025-05-02T04:04:02.8933333+00:00

Hello Corey Stewart,

Following up to see if you have a chance to check my previous response and helped do let me know if you have any further questions on this.
Shireesha Eeraboina 2,825 Reputation points Microsoft External Staff Moderator

2025-05-05T04:19:25.87+00:00

Hello Corey Stewart,

Just checking in to see if the issue resolved. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Corey Stewart 0 Reputation points

2025-04-29T14:45:21.1733333+00:00

We recreated the resources, and it works fine now. The main issue, is that the cert will dissappear and leave no errors or warnings, as I said. This only happens on one instance and not another with multiple certs.
Shireesha Eeraboina 2,825 Reputation points Microsoft External Staff Moderator

2025-05-02T04:04:02.8933333+00:00

Hello Corey Stewart,

Following up to see if you have a chance to check my previous response and helped do let me know if you have any further questions on this.
Shireesha Eeraboina 2,825 Reputation points Microsoft External Staff Moderator

2025-05-05T04:19:25.87+00:00

Hello Corey Stewart,

Just checking in to see if the issue resolved. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hi Corey Stewart,

Thanks for the update. Glad to hear that recreating the resources resolved the issue.

It seems that the issue with CA Certificates disappearing without errors in your API Management instance may have been related to the specific configuration or state of that instance. Since recreating the resources resolved the problem, it suggests that there may have been an underlying issue with the previous configuration.

For future reference, if similar issues arise, consider checking the following:

Ensure all configurations are correct and consistent across instances.
Monitor Azure Activity Logs for any hidden errors or warnings.
Validate that the Key Vault permissions and access policies are correctly set.

If the problem reoccurs, further investigation into the specific instance's settings and configurations may be necessary.

Share via

We are unable to persist CA Certificates in our API Management instance

1 answer

Your answer