In early 2026, industry-wide certificate changes designed to enhance security and compliance are coming to your browsers. Learn how Azure App Service is automating updates to minimize customer impact.
Executive Summary
In early 2026, industry-wide changes mandated by browser applications and the CA/B Forum will affect both how TLS certificates are issued as well as their validity period. The CA/B Forum is a vendor body that establishes standards for securing websites and online communications through SSL/TLS certificates. Azure App Service is aligning with these standards for both App Service Managed Certificates (ASMC, free, DigiCert-issued) and App Service Certificates (ASC, paid, GoDaddy-issued).
Most customers will experience no disruption. Action is required only if you pin certificates or use them for client authentication (mTLS).
Who Should Read This?
- App Service administrators
- Security and compliance teams
- Anyone responsible for certificate management or application security
Quick Reference: What’s Changing & What To Do
|
Topic |
ASMC (Managed, free) |
ASC (GoDaddy, paid) |
Required Action |
|
New Cert Chain |
New chain (no action unless pinned) |
New chain (no action unless pinned) |
Remove certificate pinning |
|
Client Auth EKU |
Not supported (no action unless cert is used for mTLS) |
Not supported (no action unless cert is used for mTLS) |
Transition from mTLS |
|
Validity |
No change (already compliant) |
Two overlapping certs issued for the full year |
None (automated) |
If you do not pin certificates or use them for mTLS, no action is required.
Timeline of Key Dates
|
Date |
Change |
Action Required |
|
Mid-Jan 2026 and after |
ASMC migrates to new chain ASMC stops supporting client auth EKU |
Remove certificate pinning if used Transition to alternative authentication if the certificate is used for mTLS |
|
Mar 2026 and after |
ASC validity shortened ASC migrates to new chain ASC stops supporting client auth EKU |
Remove certificate pinning if used Transition to alternative authentication if the certificate is used for mTLS |
Actions Checklist
For All Users
- Review your use of App Service certificates.
- If you do not pin these certificates and do not use them for mTLS, no action is required.
If You Pin Certificates (ASMC or ASC)
- Remove all certificate or chain pinning before their respective key change dates to avoid service disruption.
If You Use Certificates for Client Authentication (mTLS)
- Switch to an alternative authentication method before their respective key change dates to avoid service disruption, as client authentication EKU will no longer be supported for these certificates.
Details & Rationale
Why Are These Changes Happening?
These updates are required by major browser programs (e.g., Chrome) and apply to all public CAs. They are designed to enhance security and compliance across the industry. Azure App Service is automating updates to minimize customer impact.
What’s Changing?
New Certificate Chain
- Certificates will be issued from a new chain to maintain browser trust.
- Impact: Remove any certificate pinning to avoid disruption.
Removal of Client Authentication EKU
- Newly issued certificates will not support client authentication EKU. This change aligns with Google Chrome’s root program requirements to enhance security.
- Impact: If you use these certificates for mTLS, transition to an alternate authentication method.
Shortening of Certificate Validity
- Certificate validity is now limited to a maximum of 200 days.
- Impact: ASMC is already compliant; ASC will automatically issue two overlapping certificates to cover one year. No billing impact.
Frequently Asked Questions (FAQs)
Will I lose coverage due to shorter validity?
No. For App Service Certificate, App Service will issue two certificates to span the full year you purchased.
Is this unique to DigiCert and GoDaddy?
No. This is an industry-wide change.
Do these changes impact certificates from other CAs?
Yes. These changes are an industry-wide change. We recommend you reach out to your certificates’ CA for more information.
Do I need to act today?
If you do not pin or use these certs for mTLS, no action is required.
Glossary
- ASMC: App Service Managed Certificate (free, DigiCert-issued)
- ASC: App Service Certificate (paid, GoDaddy-issued)
- EKU: Extended Key Usage
- mTLS: Mutual TLS (client certificate authentication)
- CA/B Forum: Certification Authority/Browser Forum
Additional Resources
Feedback & Support
If you have questions or need help, please visit our official support channels or the Microsoft Q&A, where our team and the community can assist you.
Microsoft