@Pranav Joshi Thank you for your question and interest in Azure App Service Certificates.
Please note that there are two product offerings. App Service Managed Certificates and App Service Certificates. Since it appears that you need a wildcard certificate, you will be needing the App Service Certificate.
"The offering for App Service Certificates will still be available with the launch of App Service Managed Certificates as these two features have their differences and are better suited for different scenarios. Aside from the main difference of pricing, a major difference between the two is that you will not be able to export your App Service Managed Certificates as they are managed by the platform. If you’re planning to do a live site migration with TXT record, need support for apex domains, or need a wildcard certificate, then use App Service Certificates or bring your own certificate." Source
In order to use your App Service Cert with App Gateway, you will need to export a copy of the certificate to your local computer to complete the steps outlined in the below documentation. In order to export it, please see Creating a local PFX copy of App Service Certificate.
In regards with how to use the certificate with Azure App Gateway, please see the below documentation. (Please note that you may have to convert your .PFX file to a .CER file depending on the requirements of Azure App Gateway.
- Overview of TLS termination and end to end TLS with Application Gateway
- Configure end-to-end TLS by using Application Gateway with the portal
Yes, App Service Certs are charged as a one time yearly fee. Deleting the certificate does not generate any refund/credit (full or prorated). Before purchasing a certificate, I would suggest creating a free billing ticket to verify if they issue credits/refunds for App Service Certs and what the limitations might be (number of days since initial purchase, was it used, etc.). To open a ticket with them, please follow these steps. Only the billing team can verify if/when credits/refunds can be issued, which is why it is best to check with them directly as they are the ones who would submit the credit/refund request to see if it would be approved/denied.
You can use your own .PFX certs if they meet the below criteria (you might have to convert them to .CER):
- CA (Certificate Authority) certificate: A CA certificate is a digital certificate issued by a certificate authority (CA)
- EV (Extended Validation) certificate: An EV certificate is a certificate that conforms to industry standard certificate guidelines. This will turn the browser locator bar green and publish the company name as well.
- Wildcard Certificate: This certificate supports any number of subdomains based on *.site.com, where your subdomain would replace the *. It doesn’t, however, support site.com, so in case the users are accessing your website without typing the leading "www", the wildcard certificate will not cover that.
- Self-Signed certificates: Client browsers do not trust these certificates and will warn the user that the virtual service’s certificate is not part of a trust chain. Self-signed certificates are good for testing or environments where administrators control the clients and can safely bypass the browser’s security alerts. Production workloads should never use self-signed certificates.
Source
Please let us know if you have any further questions or concerns regarding this matter.