Share via

When my Cloud Service (extended) is restarted/updated etc. I lose my IIS Certs

Jon Elster 0 Reputation points
2026-04-04T14:18:54.55+00:00

i have cloud service - everytime it's restarted my MS. I lose all my IIS Certs. The IIS site is ok and works but i lose my SSL ! What can I do ? This happens 1 a month. And where can I place files that will not be deleted when restarted. Where is the perm storage. Help! Thanks!!

Azure Cloud Services
Azure Cloud Services

An Azure platform as a service offer that is used to deploy web and cloud applications.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nikhil Duserla 9,685 Reputation points Microsoft External Staff Moderator
    2026-04-05T17:54:17.8+00:00

    Hello @Jon Elster ,

    it sounds like every time your Cloud Service role gets recycled or reimaged, any certificates or files you manually install on the VM are lost because the OS disk is ephemeral. Here’s what you can do to keep your SSL certs and any files you need across restarts:

    Persisting SSL certificates • Upload your certificate to Azure Key Vault (or directly into the Cloud Service certificate blade) • In your ServiceDefinition.csdef, add a <Certificates> element under your <Role> pointing to that cert name/thumbprint. • In your ServiceConfiguration.cscfg, reference the same cert name and key-vault settings. • At startup the PaaS agent will automatically pull the cert into the IIS store for you on each VM restart. See "Use certificates with Azure Cloud Services (extended support)" and "Store and use certificates in Azure Cloud Services (extended support)" for step-by-step instructions.

    Persisting files across restarts • Azure Cloud Service VMs only guarantee that files in your packaged app and any LocalResource you define will survive a simple role recycle. Even then, “local” storage is wiped on OS upgrades or reimages. • For truly durable storage, use Azure Storage – e.g. – Blob storage or Data Lake for unstructured data – Azure Files (SMB share) if you need a mapped drive • If you still need a local temp folder between recycles (but know it won’t survive reimages), you can define a <LocalResources> entry in ServiceDefinition.csdef with removeOnRoleRecycle="false".

    Let me know if you need code samples for the ServiceDefinition/ServiceConfiguration changes or help mounting an Azure File share.

    Reference docs

    Was this helpful?

    0 comments
  2. Q&A Assist
    2026-04-04T14:19:09.29+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Cloud Services (extended support) instances are stateless. Any certificates or files added directly inside the VM (for example, by importing an SSL certificate into the local machine store and binding it in IIS manually) are lost whenever the role instance is recycled, updated, or redeployed. To persist IIS SSL configuration, the certificate must be managed through Azure Key Vault and referenced in the Cloud Service configuration so that it is automatically reinstalled on each instance start.

    Use this pattern:

    1. Store the certificate in Azure Key Vault
      • Create or use an existing Key Vault.
      • Upload the SSL certificate (PFX) into Key Vault as a certificate/secret.
      • Ensure the Cloud Service (extended support) has permissions on the Key Vault so it can retrieve the certificate.
    2. Reference the certificate in the Cloud Service configuration (.cscfg)
      • In the Cloud Service configuration, under the appropriate <Role> element, define the certificate with its thumbprint and algorithm:
         <Role name="WebRole1">
     <Instances count="1" />
     <Certificates>
       <Certificate
         name="Certificate1"
         thumbprint="AA11BB22CC33DD44EE55FF66AA77BB88CC99DD00"
         thumbprintAlgorithm="sha1"
       />
     </Certificates>
   </Role>
      • Make sure the thumbprint matches the certificate uploaded to Key Vault.
    3. Wire the Cloud Service to Key Vault
      • When configuring the Cloud Service (extended support) in the Azure portal, after saving the configuration with the <Certificates> section, select the Key Vault that holds the certificate and wait until the certificate status shows Found.
      • If using PowerShell/ARM, also ensure the OS profile secrets section is updated so the Cloud Service can download and install the certificate. If the .cscfg references a thumbprint that is not present in osProfile.secrets, updates will fail with an error indicating missing thumbprints.
    4. Bind the certificate in IIS via startup logic (if needed)
      • Once the certificate is provisioned into the VM’s certificate store by the platform, use startup tasks or role startup code to bind the certificate to the IIS site/HTTPS port if the default binding is not sufficient. Because the certificate is reinstalled on each recycle, the startup logic will reapply the binding consistently.

    Regarding “permanent storage” for files:

    • Local disk on Cloud Services (extended support) role instances is not durable across reimages or redeployments. Do not rely on it for anything that must survive restarts or upgrades.
    • For persistent data, use external services such as Azure Storage (Blobs, Files, Tables, Queues) or databases. For certificates specifically, use Azure Key Vault as the durable store, then reference them via the Cloud Service configuration as described above.

    This approach ensures that when the Cloud Service is restarted, updated, or scaled, the platform automatically pulls the certificate from Key Vault and installs it on each instance, so IIS SSL does not disappear.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.