Get Web Apps certificates in bulk

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

For Web App, there are two kinds of SSL/TLS certificates - private certificate and public certificate.

For some users they might have lots of web apps and certificates which need to managed. So I've been asked many times for how to get (both private and public) certificates in bulk. In this blog I will show how to get Web Apps private certificates and public certificates under a subscription correspondingly.


Get Web Apps private certificates in bulk

For the private  certificates, we have the existing feature and API to bulk get the private certificates under a subscription. The following shows how to use Azure Resource Graph Explorer and Azure REST API to get them:

Option 1: Use Azure Resource Graph Explorer

In Azure portal -> Go to the "Resource Graph Explorer" service -> search the "microsoft.web/certificates" resource -> in the Kusto query, filter the subscriptionId and pick the fields you need.


An example Kusto query as below:


| where type == "microsoft.web/certificates"
| where subscriptionId =="xxxx"
| project name, resourceGroup, properties



  • For the private certificate's detailed information (e.g. thumbprint, issue date and expiration date etc), it's stored in the properties field.
  • For the Resource Graph Explorer, you can also use to query other resource information beyond App Service's private certificate.

Option 2: Use List Certificates REST API

You can also use List Certificates REST API to bulk get the private certificates.


Get Web Apps public certificates in bulk

There is no such feature or API to bulk list all the public certificates. The Get Public Certificate REST API can only get the public certificate for one web app each time. So the idea to get web apps public certificates in bulk as below:

  1. Use the List Web Aps REST API to get the web app list
  2. Loop the web app list and get each web app's public certificate(s)

The example of PowerShell to achieve it as below:


$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
#replace your own bearer token here
$headers.Add("Authorization", "Bearer xxxx")
#replace your  own subscription here
#get web app list under the subscription
$response = Invoke-RestMethod $url1 -Method 'GET' -Headers $headers
$json= $response | ConvertTo-Json
$x = $json | ConvertFrom-Json
#loop the web apps list
foreach ($line in $x.value) {
     $a1 = $webapp.Split("/")
     write-host "The public certificate thumbprint(s) under the app $appname as following:"

     #get each web app's public certificate
     $res_cert = Invoke-RestMethod $url2 -Method 'GET' -Headers $headers
     $json2=$res_cert | ConvertTo-Json
     $y=$json2 | ConvertFrom-Json
     foreach ($z in $y.value) {
     write-host $thumbprint



Then you can get the web apps public certificates in bulk.


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.