Fix AppGateway Backend Health Root Certificate does not match Trusted Root Certificate

Question

Fix AppGateway Backend Health Root Certificate does not match Trusted Root Certificate

Justin 20

Backend Health Status: Unhealthy

Message: The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to whitelist the backend

State:
In BackendSettings, "certificate is issued by a well-known CA" is set to "No" and the root certificate of the certificate chain is uploaded. The .cer-file was created by logging into the server and using the copy-to-file functionality applied to the root certificate as outlined in this article:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking#trusted-root-certificate-mismatch-root-certificate-is-available-on-the-backend-server

In the Listener, the leaf/server certificate is uploaded which works which I tested by using the browser to navigate to the url I specified and checking the certificate.

In the Probe, the BackendSettings are referenced containing the root cert.

On the server, the three certificates (server, intermediate, root) are installed and in the appropriate locations (Personal, Intermediate CA, Trusted Root CA). Also, in the IIS Manager, the Default Website is configured using the server certificate.

Note:
First I closesly followed this article: https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking
But the backend health check reported, that an intermediate certificate was missing so I now use a certificate chain using an intermediate certificate.

Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-04-30T12:40:17.7766667+00:00
Hello Justin

I understand you're experiencing issues with your Application Gateway due to a mismatch between the root certificate of the server certificate used by your backend and the trusted root certificate added to your application gateway.

Here are a few steps you can take to troubleshoot and resolve the issue:

Ensure the correct root certificate is uploaded to the Application Gateway. You’ll want to ensure that the root certificate from the chain of the server certificate on the backend server is the same as the one uploaded to the Application Gateway’s backend settings

You can export the root certificate from your backend server to ensure you have the right one.

In the Application Gateway's Backend settings: Make sure that the option for "certificate is issued by a well-known CA" is set to "No" since you mentioned using a private CA. Upload the root certificate you exported in the previous step.

Ensure that the certificate chain on the backend server is complete: It should include the Leaf certificate, followed by any Intermediate certificates, and ending with the Root CA certificate.

It should include the Leaf certificate, followed by any Intermediate certificates, and ending with the Root CA certificate.

If needed, use OpenSSL to inspect the certificate chain presented by your backend server to ensure its complete and in the right order. Commands you can use include: openssl s_client -connect <FQDN>:443 -showcerts

Since you're hosting the certificate on IIS, verify that it’s configured properly under the Default Website section, and that the binding is correctly set to use the SSL certificate.

If you've checked all of the above steps and the problem persists, could you please provide more details on the following:

Is there any specific error code you're receiving beyond the "unhealthy" status?

Can you confirm if the DNS name of the TLS certificate installed on the backend matches the hostname used in the Application Gateway?

Are there any additional configurations you've applied to the Application Gateway or your backend server that might affect SSL termination?

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Accepted answer

1 additional answer

Your answer

Answer 1

Hello Justin

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: Fix AppGateway Backend Health Root Certificate does not match Trusted Root Certificate

Solution: Some settings for the server/leaf certificates were missing. By using a .cnf-file with following properties, the setup works:

basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer

[alt_names]
DNS.1 = www.fabrikam.com
# Add more DNS entries if needed
# DNS.2 = another-domain.com

If you have any other questions or are still running into more issues, please let me know.

Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

Justin 20

It turned out that some settings for the server/leaf certificates were missing. By using a .cnf-file with following properties, the setup works for me:

basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer

[alt_names]
DNS.1 = www.fabrikam.com
# Add more DNS entries if needed
# DNS.2 = another-domain.com

Share via

Fix AppGateway Backend Health Root Certificate does not match Trusted Root Certificate

1 additional answer

Your answer