ZTNA admin migrating applications from a PoC tenant to a Production tenant.

All RDP, SSH and TCP applications were created in the new environment without issues, as well as most Web applications.

When creating one specific Web application in the new Production ZTNA tenant, a "Failed to create certificate" unexpected error was displayed as shown below:

The Web application uses a custom domain, with an external address with CNAME records created.

ZTNA migration from one tenant to another.

Web application with externally defined custom domain.

ZTNA certificate management service detects duplicate name and blocks creation of application.

When migrating Web applications with custom domains, one must delete the application from the original ZTNA tenant before creating on the new tenant.

Every Web application has a unique certificate for the domain, and a certificate management service within ZTNA handles this. When adding a new application with a custom certificate, the certificate management service checks the domain for uniqueness and fails if the specified domain already has a certificate, as happened in our case above.