Share via

Artifact Signing certificate auto-renewal stopped after free trial expired and subscription upgraded to Pay-As-You-Go

SrulyT 0 Reputation points
2026-06-11T01:40:52.27+00:00

Artifact Signing certificate auto-renewal stopped after free trial expired and subscription upgraded to Pay-As-You-Go

Summary

After my Azure free trial expired and I upgraded to Pay-As-You-Go, my Artifact Signing account stopped issuing certificates. Everything in the portal appears healthy but signing fails with "The certificate is expired."

Timeline

  • ~May 2026: Set up Artifact Signing (leapsheet-signing, East US, Basic SKU) on free trial subscription
  • Daily certificate auto-renewal was working correctly from 5/5/2026 through 6/2/2026
  • ~6/5/2026: Free trial credit expired, subscription suspended, certificate auto-renewal stopped
  • 6/9/2026: Upgraded subscription to Pay-As-You-Go
  • 6/9–6/10/2026: No new certificates have been issued; auto-renewal has not resumed

Current portal status

  • Subscription: Active (Pay-As-You-Go)
  • Artifact Signing account: leapsheet-signing, East US, Basic SKU
  • Identity Validation: Completed, expires 8/6/2028
  • Certificate Profile (leapsheet-codesign): Status = Active, but expiry date shows 6/5/2026
  • Most recent certificate in version list: Created 6/2/2026, expires 6/5/2026
  • No certificates have been issued since 6/2/2026

Error from signing tool (dotnet sign CLI)


fail: Sign.Core.ICertificateVerifier[0]

      The certificate is expired.

fail: Sign.Core.ISigner[0]

      Failed to sign. Attempts exceeded.

Questions

  1. Is there a service-side hold on the account that needs to be cleared after a subscription reactivation?
  2. Can the certificate auto-renewal be restarted without deleting and recreating the certificate profile or account?
  3. If recreation is required, will the new certificate profile carry the same trust level, or will SmartScreen reputation need to be rebuilt?

This appears to be the same issue described in (https://learn.microsoft.com/en-in/answers/questions/5915363/artifact-signing-sign-operation-returns-failed-(nu)). Any guidance appreciated.

Artifact Signing
Artifact Signing

A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SrulyT 0 Reputation points
    2026-06-11T01:52:39.96+00:00

    "Thank you, but this did not resolve the issue. I have already verified all of the following:

    • Subscription is Active (Pay-As-You-Go)
    • Microsoft.CodeSigning resource provider is Registered
    • Identity Validation is Completed (expires 8/6/2028)
    • Certificate Profile status shows Active

    Despite all of this, no new certificates have been issued in over 24 hours since upgrading, and signing continues to fail with 'The certificate is expired.' This appears to be a service-side issue that cannot be resolved from the portal. Requesting a Microsoft engineer to review the account directly."

    Was this answer helpful?

  2. AI answer

    2026-06-11T01:41:09.1466667+00:00
    1. Artifact Signing cannot be used with a free, trial, or sponsored subscription. When the free trial expired and the subscription was suspended, the service stopped issuing/renewing certificates. After upgrading to Pay-As-You-Go, the subscription type is now supported, but there is no documented “service-side hold” flag that must be cleared beyond having an active, paid subscription. The account should be usable once the subscription is active and registered.
    2. The FAQ does not document any mechanism to “restart” certificate issuance or auto‑renewal for an existing certificate profile after such an interruption. It only states that:
      • Identity validation must be valid; if it expires and is not renewed, certificate renewal stops and signing processes stop, and a new identity validation must be created and associated to profiles to continue signing.
      • Artifact Signing resources cannot be migrated across subscriptions or tenants; if subscription/tenant changes are needed, all Artifact Signing resources must be recreated.
      There is no explicit guidance that an existing certificate profile whose certificate has expired can be reactivated or forced to resume auto‑renewal after a subscription suspension. The documented recovery pattern when identity/conditions block renewal is to recreate the necessary Artifact Signing resources so that signing can continue.
    3. The documentation does not describe SmartScreen or reputation behavior or any difference in “trust level” between old and new certificate profiles. It only clarifies that deleting an Artifact Signing account:
      • Deletes the certificate profiles under that account.
      • Stops certificate renewal and thus halts signing for those profiles.
      • Does not affect certificates that were already used to sign files.
      There is no statement that a new certificate profile inherits any prior reputation, nor any description of reputation reset or preservation.

    Given the documented limitations:

    • Ensure the subscription is a paid, active subscription (Pay-As-You-Go is supported) and that the Microsoft.CodeSigning resource provider is registered and the identity validation remains in Completed state.
    • If certificate issuance/renewal still does not resume, the supported path described in the FAQ is to recreate the Artifact Signing resources (account and certificate profiles) under the active Pay-As-You-Go subscription and associate them with a valid identity validation.
    • For further assistance specific to this scenario, use Azure Support or Microsoft Q&A with the artifact-signing tag as recommended for identity/Artifact Signing issues.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.