One of the sites I manage uses Azure Front Door and Azure DNS. About every 6 months, the certificate associated with the Apex domain enters the state of “Domain validation needed”, and the domain validation state becomes “Pending revalidation”. Here are the steps to re-validate your Apex domain.

1. Log into Azure Portal and select the appropriate Azure Front Door

2. Expand the Settings node and click Domains

3. Under the “Certificate state” column for your Apex domain, click “Domain validation needed”. In the resulting flyout, note the warning at the bottom that says:

   The certificate auto-rotation for your Apex domain with managed certificate will require domain ownership revalidation.

   This is the key - we must re-validate that we own the Apex domain before the certificate will auto-rotate.

   Close the flyout.

4. Under the “Validation state” column for your Apex domain, click “Pending validation”. A “Validate custom domain ownership” flyout will open.

5. Verify the settings

6. Click “Regenerate” to regenerate the TXT record verifying that you own the domain. Wait for some time.

7. The “DNS record status” field will change to:

   Your domain’s been linked to an Azure DNS zone. The DNS record has a different value, clicking “Update” button will update the existing DNS record.

   Click the Update button.

8. The “DNS record status” field will change to:

   Domain’s DNS record has been set correctly in the Azure DNS Zone.

9. Close the flyout

10. Refresh the Domains list, and you’ll see that the “Validation state” for the Apex domain has changed to “Pending”. Wait for some time.

11. Refresh the Domains list, and you’ll see that the “Validation state” for the Apex domain has changed to “Approved”, and the “Certificate state” has changed to “Deployed: 184 day(s) to expiry”.

12. Create a calendar reminder for ~6 months in the future to do this all over again.

13. You did it! Celebrate with a self-high five. Job well done.