SSL Import Error on Application Gateway LB

Question

SSL Import Error on Application Gateway LB

SHK 0

Hello,

I wanted to add SSL to the Application Gateway I created. I exported the SSL certificate using a p7b file and uploaded the root certificate, intermediate certificate, and regular certificate. However, I received an error. The error image is below. Does anyone have any information about this error?
Screenshot 2026-01-21 113353

SHK 0

Thank you for your comment. I'm sharing the command output below. What are your thoughts?

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number:

        0e:2f:a2:fa:cf:98:92:4d:89:7f:65:55:b0:17:86:9d

    Signature Algorithm: sha256WithRSAEncryption

    Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1

    Validity

        Not Before: Aug  8 00:00:00 2025 GMT

        Not After : Aug 17 23:59:59 2026 GMT

    Subject: CN=*.fabrikamobil.com

    Subject Public Key Info:

        Public Key Algorithm: rsaEncryption

            Public-Key: (2048 bit)

            Modulus:

                00:c3:90:7f:28:72:9b:fe:29:de:1d:57:46:d8:d8:

                c3:fd:a2:f5:d6:15:50:7c:c0:c6:89:87:64:df:1f:

                49:c6:5a:a8:38:16:ee:3c:80:68:57:b4:34:e1:99:

                2c:13:fd:13:b8:a6:b0:0a:00:b6:1f:65:db:91:27:

                d9:6f:32:73:a6:96:be:b2:93:30:9d:52:bb:a8:25:

                b1:31:4f:d1:86:15:ef:46:b7:28:99:34:10:e2:42:

                5d:8a:a8:08:44:02:7b:e0:b8:a7:e2:d6:9c:b0:5f:

                49:3d:25:7a:2e:22:c0:40:c9:6a:c5:8f:5d:a8:4a:

                e4:d3:56:1a:dd:e6:94:bd:d8:17:f0:94:bd:e5:59:

                c1:d4:aa:83:cd:d9:02:30:9d:5d:a1:98:4c:78:bc:

                08:01:d5:9f:f5:7b:69:7b:49:e1:f5:47:11:2e:d9:

                2c:e6:56:f3:f6:07:39:bb:2a:d5:e0:72:22:62:4b:

                29:d2:7b:1d:f6:34:18:04:1d:f1:4a:88:07:b4:1a:

                7a:82:24:74:7e:e7:f7:4a:96:84:2d:94:bb:7e:2d:

                75:30:2d:d7:29:f2:d0:1e:4b:97:fa:42:04:18:2e:

                4e:fe:99:70:dc:29:2c:5a:06:d5:54:f0:81:25:b6:

                f7:f4:ae:0d:34:25:cf:02:fd:5e:ee:d8:0a:38:b2:

                b1:cd

            Exponent: 65537 (0x10001)

    X509v3 extensions:

        X509v3 Authority Key Identifier:

            0C:DB:6C:82:49:0F:4A:67:0A:B8:14:EE:7A:C4:48:52:88:EB:56:38

        X509v3 Subject Key Identifier:

            F4:30:98:46:20:E6:46:F5:A3:E5:D0:50:25:41:63:A5:10:75:69:A1

        X509v3 Subject Alternative Name:

            DNS:fabrikamobil.com, DNS:*.fabrikamobil.com

        X509v3 Certificate Policies:

            Policy: 2.23.140.1.2.1

              CPS: http://www.digicert.com/CPS

        X509v3 Key Usage: critical

            Digital Signature, Key Encipherment

        X509v3 Extended Key Usage:

            TLS Web Server Authentication, TLS Web Client Authentication

        X509v3 CRL Distribution Points:

            Full Name:

              URI:http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl

        Authority Information Access:

            OCSP - URI:http://status.rapidssl.com

            CA Issuers - URI:http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt

        X509v3 Basic Constraints: critical

            CA:FALSE

        CT Precertificate SCTs:

            Signed Certificate Timestamp:

                Version   : v1 (0x0)

                Log ID    : D7:6D:7D:10:D1:A7:F5:77:C2:C7:E9:5F:D7:00:BF:F9:

                            82:C9:33:5A:65:E1:D0:B3:01:73:17:C0:C8:C5:69:77

                Timestamp : Aug  8 09:56:41.251 2025 GMT

                Extensions: none

                Signature : ecdsa-with-SHA256

                            30:45:02:21:00:84:BD:06:4D:02:E7:A2:3F:5E:F1:48:

                            DA:1F:27:0E:E4:24:13:BA:8E:99:AB:08:89:3A:9F:BA:

                            CA:9A:C7:CC:ED:02:20:67:DF:40:0D:6C:55:72:83:C6:

                            05:2F:1A:46:C5:EC:7E:B1:D7:29:08:74:9D:42:FD:40:

                            CC:B3:B0:5E:18:62:64

            Signed Certificate Timestamp:

                Version   : v1 (0x0)

                Log ID    : C2:31:7E:57:45:19:A3:45:EE:7F:38:DE:B2:90:41:EB:

                            C7:C2:21:5A:22:BF:7F:D5:B5:AD:76:9A:D9:0E:52:CD

                Timestamp : Aug  8 09:56:41.312 2025 GMT

                Extensions: none

                Signature : ecdsa-with-SHA256

                            30:46:02:21:00:ED:96:C6:5E:84:3B:B9:2A:3D:29:7A:

                            A1:FA:02:2B:5E:35:DE:E1:6F:C4:F2:F5:EB:D3:3D:3D:

                            4A:B0:30:7D:73:02:21:00:B3:68:C1:A3:31:9D:6E:B2:

                            FF:36:1F:50:E7:49:07:18:32:0C:86:5F:CE:4B:F8:AE:

                            2D:FB:62:D6:C2:2F:3F:82

            Signed Certificate Timestamp:

                Version   : v1 (0x0)

                Log ID    : 94:4E:43:87:FA:EC:C1:EF:81:F3:19:24:26:A8:18:65:

                            01:C7:D3:5F:38:02:01:3F:72:67:7D:55:37:2E:19:D8

                Timestamp : Aug  8 09:56:41.327 2025 GMT

                Extensions: none

                Signature : ecdsa-with-SHA256

                            30:46:02:21:00:CB:14:5A:A7:4A:2B:F2:66:DF:F1:48:

                            05:24:B4:C5:C4:D9:2D:79:36:02:F0:9B:D2:30:95:54:

                            19:58:99:E7:AB:02:21:00:9A:09:8A:B0:0E:37:F2:6B:

                            05:FA:97:34:7A:AE:C3:A6:F6:6F:7B:23:59:58:21:D2:

                            CB:6F:B7:70:9B:93:41:71

Signature Algorithm: sha256WithRSAEncryption

Signature Value:

    b9:6f:02:37:86:72:a5:e9:f8:f4:9f:95:f8:9e:4d:80:8f:c5:

    74:65:cf:c2:20:13:a6:ea:6d:33:bb:d0:0a:2d:bb:7b:ef:cb:

    02:a3:e7:7d:f8:af:34:9b:87:39:26:d8:24:59:ce:0b:e1:e7:

    47:cb:11:45:e1:2a:0c:9a:a2:e9:d7:27:c7:f6:0f:17:06:a3:

    2d:18:85:57:25:45:82:2b:31:cb:ea:b9:69:fa:c1:28:bd:05:

    6a:11:2f:e3:35:76:3c:b6:e1:ec:26:fa:76:4f:e1:56:16:4c:

    e5:07:34:3d:98:39:f5:87:1a:10:a4:0d:66:23:17:0c:50:ca:

    46:82:db:bb:1b:5c:ac:b2:e6:45:0b:7d:b9:56:1e:3a:af:9f:

    6a:3a:86:3a:02:81:c6:5e:83:00:07:b0:a3:24:24:49:f4:da:

    44:89:0e:d2:53:dc:1c:56:91:6c:50:bb:e7:76:f3:06:dd:c1:

    50:1e:af:23:2e:7c:9d:d8:32:75:c4:7f:d6:52:7f:29:d5:f7:

    26:59:c9:27:48:27:10:b0:16:ef:1a:3e:97:34:63:8e:39:19:

    95:a3:4e:91:2c:36:bc:8f:28:13:87:98:32:be:e4:84:20:1c:

    70:0b:ab:a3:96:14:1d:b4:05:64:36:4c:85:e2:de:db:26:3e:

    c5:d6:7f:da

Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-01-21T13:51:59.93+00:00

Hello SHK

Thanks for the reply!

I have Initiated a private message with you. Kindly provide the necessary details in the private chat.
Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-01-23T04:17:21.53+00:00

Hello SHK

I have started a private message with you. Please provide the following details so I can continue troubleshooting the issue.

2 answers

Your answer

Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-01-21T13:51:59.93+00:00

Hello SHK

Thanks for the reply!

I have Initiated a private message with you. Kindly provide the necessary details in the private chat.
Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-01-23T04:17:21.53+00:00

Hello SHK

I have started a private message with you. Please provide the following details so I can continue troubleshooting the issue.

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

Hello SHK

Verify that the self-signed certificate you're using includes the BasicConstraintsOid extension with value "2.5.29.19" and the CA flag set to TRUE. This extension indicates that the certificate subject can act as a Certificate Authority.

To check the certificate properties, you can use the following OpenSSL command:

Bash

openssl x509 -in certificate.pem -text -noout

Look for the "Basic Constraints" section in the output, which should show "CA:TRUE" for a valid CA certificate. For detailed guidance on generating self-signed client certificates, see trusted client certificates.

Please validate these below check points :

Ensure that the certificates you're using (root, intermediate, and regular) are all in the correct format. For Application Gateway, root certificates need to be in .cer format, while the SSL certificate itself can be a .pfx file.
Check the Certificate Chain: It's important that the chain of certificates is correctly ordered and complete. The leaf certificate must be the first in the chain, followed by the intermediate, and then the root certificate. Make sure all necessary certificates are present and in the correct order.
Common Name Match: Confirm that the common name (CN) of the SSL certificate matches the hostname that's being used in the requests to your Application Gateway. If you're using HTTPS for the backend settings, this match is crucial.
Allowed Certificates for Backend Pool: If you're connecting to an internal load balancer (ILB) or using an App Service Environment (ASE), the backend server must also have a valid SSL certificate that's recognized by Azure.
Upload Root Certificate: If you're using a self-signed certificate or a certificate from a private CA, ensure that the root certificate is uploaded to the Application Gateway's backend settings.
The error message you provided suggests that there might be an issue with the root CA being recognized. Make sure to upload only one root CA, as multiple entries may lead to confusion.

Reference document :

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Please upvote if you found the information helpful. This will help us and other members of the community as well

Share via

SSL Import Error on Application Gateway LB

2 answers

Your answer