GTS Root R1 and R2 for Azure App Services app

Question

GTS Root R1 and R2 for Azure App Services app

Sami Inkinen 20

I am using Mongo Atlas as DB for my Azure App Services app. It has been so far using Let's Encrypt as the CA for TLS certificates, but soon it requires that also GTS Root R1 and GTS Root R2 are included. As my technical understanding on this topic is limited, please help me in:

Are those GTS's included by default for Azure App Services?
If not, what are the relevant install/config instructions?
As so far Let's Encrypt has been used, I would assume I would see it configured somewhere. Where should I find this? I don't recall doing any installation/setting for it. I assume the GTS config should be similar.

Sami Inkinen 20 Reputation points

2025-03-10T07:31:08.59+00:00

Thank you Sampath, clear explanation and guidance. One additional question though: the list of certificates in PowerShell response include "DigiCert Global Root CA" and "DigiCert Global Root G2" but nothing from Google, I wonder if these are the same certificates or different?
Sampath 915 Reputation points Microsoft External Staff

2025-03-10T07:34:55.69+00:00

Hello @Sami Inkinen DigiCert Global Root CA/G2: These are root certificates from DigiCert, a widely trusted and prominent Certificate Authority (CA) used across various services. GTS Root R1/R2: These are root certificates issued by Google Trust Services (GTS), specifically for Google's own infrastructure and services (e.g., those using Google's managed TLS certificates).
Sami Inkinen 20 Reputation points

2025-03-10T07:43:24.85+00:00

OK. https://pki.goog/repository/ offers downloading in Certificate (PEM), Certificate (DER) or CLR (DER), which one is the correct format for Azure uploading, or do I need to convert format first?
Sampath 915 Reputation points Microsoft External Staff

2025-03-10T07:49:33.2266667+00:00

Hello @Sami Inkinen ,you can use (.cer)/(.pfx) for azure
Sami Inkinen 20 Reputation points

2025-03-11T06:43:12.44+00:00

When adding the new certificates, should the WEBSITE_LOAD_ROOT_CERTIFICATES = <Thumbprint_of_GTS_Root_R1>,<Thumbprint_of_GTS_Root_R2> go to App Settings > Environment variables, or is there somewhere else a specific place for this?
Sami Inkinen 20 Reputation points

2025-03-11T07:59:27.1733333+00:00

And another question - sorry for the spam but at least to me the process is not quite clear yet: I downloaded the Google GTS Root R1 in PEM format, but it does not seem to have a private key associated to it, only the certificate. I also downloaded the DER format that seems to be a .crt file. So instead of uploading the certificate to Bring your own certificates as you instruct, should I use the Public key certificates tab instead? I also tried importing the PEM to Azure Key Vault, but that fails as well, the file is missing something (presumably the private key).
Sampath 915 Reputation points Microsoft External Staff

2025-03-11T08:42:57.34+00:00
@Hello Sami Inkinen Yes, the WEBSITE_LOAD_ROOT_CERTIFICATES setting should be added in the App Settings section under Environment Variables in your Azure App Service configuration.

Go to the app that needs the certificate in the Azure portal

Go to Certificates in the app. Select Public Key Certificate (.cer). Select Add certificate. Provide a name. Browse and select your .cer file. Select upload.

Copy the thumbprint.

Go to Configuration > Application Settings. Create an app setting WEBSITE_LOAD_ROOT_CERTIFICATES with the thumbprint as the value. If you have multiple certificates, you can put them in the same setting separated by commas and no whitespace like 84EC242A4EC7957817B8E48913E50953552DAFA6,6A5C65DC9247F762FE17BF8D4906E04FE6B31819 Refer this MSDOC for more details about client certificate
Sami Inkinen 20 Reputation points

2025-03-11T09:17:32.5433333+00:00
Hi Sampath,

Now I managed to complete the operation, but I am still unsure if the new certificates are in use by my App Service app. Here's what I did:

I created the .cer files for GTS R1 and R2 by using the Keychain Access app in my Mac. That was a very straightforward way as it already had the GTS R1 and R2 certificates, and they can be exported as .cer files.

I uploaded the .cer files to app's Public key certificates in Azure.

I added the WEBSITE_LOAD_ROOT_CERTIFICATES definition with thumbprint values to app's Settings > Environment variables > App settings (this is where I think MS instructions are a bit off).

If I now use "dir cert:\localmachine\root" in PowerShell, it still does not show the newly added certificates, but does the command only show the preinstalled certificates, and is there a way to see if those installed certificates are available as well?

Best Regards, Sami
Sampath 915 Reputation points Microsoft External Staff

2025-03-11T18:14:23.1666667+00:00
Hello @Sami Inkinen,

Refer to this MSDOC to use TLS/SSL certificates in your application code. Currently, there is no direct way to upload and view the certificate in Kudo. using Get-ChildItem -Path Cert:\CurrentUser\Rootget the client certificates only.

Note:

If you need to load a certificate file that you upload manually, it's better to upload the certificate using FTPS instead of Git

App Service inject the certificate paths into Windows containers as the following environment variables WEBSITE_PRIVATE_CERTS_PATH, WEBSITE_INTERMEDIATE_CERTS_PATH, WEBSITE_PUBLIC_CERTS_PATH, and WEBSITE_ROOT_CERTS_PATH.

You can use WEBSITE_LOAD_ROOT_CERTIFICATES in the environment in your code and call it on Azure.You can use the following Azure CLI to list SSL certificates for a web app:

az webapp config ssl list --resource-group MyResourceGroup

If useful, could you please upvote every comment?

Accepted answer

0 additional answers

Your answer

Sami Inkinen 20 Reputation points

2025-03-10T07:31:08.59+00:00

Thank you Sampath, clear explanation and guidance. One additional question though: the list of certificates in PowerShell response include "DigiCert Global Root CA" and "DigiCert Global Root G2" but nothing from Google, I wonder if these are the same certificates or different?
Sampath 915 Reputation points Microsoft External Staff

2025-03-10T07:34:55.69+00:00

Hello @Sami Inkinen DigiCert Global Root CA/G2: These are root certificates from DigiCert, a widely trusted and prominent Certificate Authority (CA) used across various services. GTS Root R1/R2: These are root certificates issued by Google Trust Services (GTS), specifically for Google's own infrastructure and services (e.g., those using Google's managed TLS certificates).
Sami Inkinen 20 Reputation points

2025-03-10T07:43:24.85+00:00

OK. https://pki.goog/repository/ offers downloading in Certificate (PEM), Certificate (DER) or CLR (DER), which one is the correct format for Azure uploading, or do I need to convert format first?
Sampath 915 Reputation points Microsoft External Staff

2025-03-10T07:49:33.2266667+00:00

Hello @Sami Inkinen ,you can use (.cer)/(.pfx) for azure
Sami Inkinen 20 Reputation points

2025-03-11T06:43:12.44+00:00

When adding the new certificates, should the WEBSITE_LOAD_ROOT_CERTIFICATES = <Thumbprint_of_GTS_Root_R1>,<Thumbprint_of_GTS_Root_R2> go to App Settings > Environment variables, or is there somewhere else a specific place for this?
Sami Inkinen 20 Reputation points

2025-03-11T07:59:27.1733333+00:00

And another question - sorry for the spam but at least to me the process is not quite clear yet: I downloaded the Google GTS Root R1 in PEM format, but it does not seem to have a private key associated to it, only the certificate. I also downloaded the DER format that seems to be a .crt file. So instead of uploading the certificate to Bring your own certificates as you instruct, should I use the Public key certificates tab instead? I also tried importing the PEM to Azure Key Vault, but that fails as well, the file is missing something (presumably the private key).
Sampath 915 Reputation points Microsoft External Staff

2025-03-11T08:42:57.34+00:00

@Hello Sami Inkinen Yes, the WEBSITE_LOAD_ROOT_CERTIFICATES setting should be added in the App Settings section under Environment Variables in your Azure App Service configuration.

Go to the app that needs the certificate in the Azure portal

Go to Certificates in the app. Select Public Key Certificate (.cer). Select Add certificate. Provide a name. Browse and select your .cer file. Select upload.

Copy the thumbprint.

Go to Configuration > Application Settings. Create an app setting WEBSITE_LOAD_ROOT_CERTIFICATES with the thumbprint as the value. If you have multiple certificates, you can put them in the same setting separated by commas and no whitespace like 84EC242A4EC7957817B8E48913E50953552DAFA6,6A5C65DC9247F762FE17BF8D4906E04FE6B31819 Refer this MSDOC for more details about client certificate
Sami Inkinen 20 Reputation points

2025-03-11T09:17:32.5433333+00:00

Hi Sampath,

Now I managed to complete the operation, but I am still unsure if the new certificates are in use by my App Service app. Here's what I did:

I created the .cer files for GTS R1 and R2 by using the Keychain Access app in my Mac. That was a very straightforward way as it already had the GTS R1 and R2 certificates, and they can be exported as .cer files.

I uploaded the .cer files to app's Public key certificates in Azure.

I added the WEBSITE_LOAD_ROOT_CERTIFICATES definition with thumbprint values to app's Settings > Environment variables > App settings (this is where I think MS instructions are a bit off).

If I now use "dir cert:\localmachine\root" in PowerShell, it still does not show the newly added certificates, but does the command only show the preinstalled certificates, and is there a way to see if those installed certificates are available as well?

Best Regards, Sami
Sampath 915 Reputation points Microsoft External Staff

2025-03-11T18:14:23.1666667+00:00

Hello @Sami Inkinen,

Refer to this MSDOC to use TLS/SSL certificates in your application code. Currently, there is no direct way to upload and view the certificate in Kudo. using Get-ChildItem -Path Cert:\CurrentUser\Rootget the client certificates only.

Note:

If you need to load a certificate file that you upload manually, it's better to upload the certificate using FTPS instead of Git

App Service inject the certificate paths into Windows containers as the following environment variables WEBSITE_PRIVATE_CERTS_PATH, WEBSITE_INTERMEDIATE_CERTS_PATH, WEBSITE_PUBLIC_CERTS_PATH, and WEBSITE_ROOT_CERTS_PATH.

You can use WEBSITE_LOAD_ROOT_CERTIFICATES in the environment in your code and call it on Azure.You can use the following Azure CLI to list SSL certificates for a web app:

az webapp config ssl list --resource-group MyResourceGroup

If useful, could you please upvote every comment?

Answer 1

Hello @Sami Inkinen,

To ensure your Azure App Service works properly with MongoDB Atlas, which now requires GTS Root R1 and GTS Root R2, follow these steps:

Check if GTS Root R1 and R2 are Already Trusted

Azure App Service maintains a list of trusted root certificates. You need to check if GTS Root R1 and GTS Root R2 are included.

For Windows-based App Services:

Open Kudu In the Azure Portal, go to your App Service.

Under Development Tools, click Advanced Tools → Go.

Open the PowerShell console and run:

 dir cert:\localmachine\root

Look for GTS Root R1 and GTS Root R2 in the output.

For Linux-based App Services:

Open SSH in Kudu and Run:

   cd /etc/ssl/certs
   
   ls | grep GTS

If GTS Root R1 and GTS Root R2 appear, you’re good to go.

Adding GTS Root Certificates (If Not Present)

If they are missing, follow these steps based on your App Service type:

For Multi-Tenant App Services (Free, Basic, Standard, Premium Plans):

You cannot manually modify the root certificate store.
Check with Azure Support to confirm if GTS certificates will be added automatically.
If your app fails TLS validation, consider switching to an App Service Environment (ASE).

For App Service Environment (ASE) :

Download GTS Root R1 and GTS Root R2 as .CER files (Base64-encoded) .
In Azure Portal, go to your App Service under TLS/SSL settings > Private Key Certificates (.pfx).
Click Upload Certificate, and upload both GTS root certificates.

enter image description here

Add this setting in Application Settings and Restart the App Service :

  WEBSITE_LOAD_ROOT_CERTIFICATES = <Thumbprint_of_GTS_Root_R1>,<Thumbprint_of_GTS_Root_R2>

If your App Service has been working fine with Let's Encrypt, it means the necessary Let's Encrypt certificates were already trusted by default.

You might not have explicitly configured Let's Encrypt since MongoDB Atlas ensures its certificates are valid.
If GTS Root R1 and R2 are required, they should be available in the trusted store. Check first if GTS Root R1 and R2 are already trusted. If not, contact Azure Support for multi-tenant plans and manually upload the certificates and configure WEBSITE_LOAD_ROOT_CERTIFICATES.

For more details, see Azure’s Root CA Guide.

Hope this helps!

If you found this answer helpful, please click Accept Answer and kindly upvote it.

Accept Answer

If you have any further questions, please click Comment.

Share via

GTS Root R1 and R2 for Azure App Services app

For Windows-based App Services:

Adding GTS Root Certificates (If Not Present)

For Multi-Tenant App Services (Free, Basic, Standard, Premium Plans):

For App Service Environment (ASE) :

0 additional answers

Your answer