Error when trying to update the Ceritificate Issuer policies of a certificate

Hello Brahim Ait Ouakrim,

Could you provide a few additional details?

• Is the certificate self-signed, imported, or issued through an integrated CA?
• How are you verifying that the policy has reverted (Azure portal, Azure CLI, PowerShell, or REST API)?
• Approximately how long after the update do you observe the values changing back?
• Are there any Azure Policies, deployment pipelines, or automation processes associated with this Key Vault?

Since the update operation appears in the diagnostic logs, but there is no corresponding operation showing the policy being changed back, it would be helpful to understand how the current policy values are being validated and whether the behavior can be reproduced consistently.

If possible, please share the current certificate policy output from Azure CLI or PowerShell (with any sensitive information removed). That should help narrow down what is occurring.

Thanks for the reply.

The certificate is issued through an integrated CA.

Azure portal is used to verify the policy

Approximately 24 hours after I update the policy it is changed back.

I am not aware of any azure policies, deployment pipelines... I added diagnostics to monitor who is updated back the policy but nothing in the log except my requests to update the certificate policy.

I have tried to update the policy twice and it got changed back twice. I guess it reproduces consistently.

Below is the policy output

SecretContentType : application/x-pkcs12
Kty : RSA
KeySize : 2048
Curve : 
Exportable : True
ReuseKeyOnRenewal : False
SubjectName : CN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
DnsNames : {}
Emails : 
UserPrincipalNames : 
KeyUsage : {digitalSignature, keyEncipherment}
Ekus : {1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2}
ValidityInMonths : 12
IssuerName : XXXXxxxx
CertificateType : 
RenewAtNumberOfDaysBeforeExpiry : 
RenewAtPercentageLifetime : 24
EmailAtNumberOfDaysBeforeExpiry : 
EmailAtPercentageLifetime : 
CertificateTransparency : 
Enabled : True
Created : xx/xx/xxxx xx:xx:xx AM
Updated : 6/17/2026 xx:xx:xx AM

Hello Brahim Ait Ouakrim,

Thanks for the additional details.

Looking at the policy output you shared, the current policy stored in Key Vault shows:

• ValidityInMonths = 12
• RenewAtPercentageLifetime = 24

These are the values you updated the policy to.

Could you clarify where you are seeing the 6-month validity and 50% renewal settings? Based on the PowerShell output, the policy itself currently appears to be configured for 12 months and 24%.

If possible, please share:

• A screenshot of the Azure portal page showing the 6-month / 50% values (with sensitive information removed)
• The time when the screenshot was taken
• A fresh PowerShell export collected at approximately the same time

This will help us determine whether there is a discrepancy between what the portal is displaying and the policy currently stored in Key Vault.

Hello,

I have updated the issuer policy this morning to 12 months/24% (this is why it is now 12 months/24%), tomorrow if the error is consistent (as it has been for the last 2 days) it will be back to 6 months/50%

here is today current screenshot : 👁 policy
The powershell output is the same as above