How to add a custom CA certificate in Azure API Management

Azure API Management allows installing CA certificates on the machine inside the trusted root and intermediate certificate stores. This functionality should be used if your services require a custom CA certificate.

The article shows how to manage CA certificates of an Azure API Management service instance in the Azure portal.


This article has been updated to use the Azure Az PowerShell module. The Az PowerShell module is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.



This feature is available in the Premium, Standard, Basic, and Developer tiers of API Management.

Upload a CA certificate

Add CA certificates

Follow the steps below to upload a new CA certificate. If you have not created an API Management service instance yet, see the tutorial Create an API Management service instance.

  1. Navigate to your Azure API Management service instance in the Azure portal.

  2. Select CA certificates from the menu.

  3. Click the + Add button.

    Screenshot that shows the + Add button for adding a CA certificate.

  4. Browse for the certificate and decide on the certificate store. Only the public key is needed, so the password is not required.

    Screenshot that shows how to browse for the certificate.

  5. Click Save. This operation may take a few minutes.

    Screenshot that shows how to save the certificate.


You can upload a CA certificate using the New-AzApiManagementSystemCertificate Powershell command.

Delete a client certificate

To delete a certificate, click context menu ... and select Delete beside the certificate.

Delete CA certificates