updated certificate acquisition requirements

Author: Nicolas Oman

articles/service-fabric/service-fabric-windows-cluster-x509-security.md

@@ -243,7 +243,18 @@ If you are using issuer stores, then no config upgrade needs to be performed for
 ## Acquire the X.509 certificates
 To secure communication within the cluster, you first need to obtain X.509 certificates for your cluster nodes. Additionally, to limit connection to this cluster to authorized machines/users, you need to obtain and install certificates for the client machines.
 
-For clusters that are running production workloads, use a [certificate authority (CA)](https://en.wikipedia.org/wiki/Certificate_authority)-signed X.509 certificate to secure the cluster. For more information on how to obtain these certificates, see [How to obtain a certificate](https://msdn.microsoft.com/library/aa702761.aspx).
+For clusters that are running production workloads, use a [certificate authority (CA)](https://en.wikipedia.org/wiki/Certificate_authority)-signed X.509 certificate to secure the cluster. For more information on how to obtain these certificates, see [How to obtain a certificate](https://msdn.microsoft.com/library/aa702761.aspx). 
+
+There are a number of properties that the certificate must have in order to function properly:
+
+1. The certificate's provider must be **Microsoft Enhanced RSA and AES Cryptographic Provider**
+
+2. When creating an RSA key, make sure the key is **2048 bits**.
+
+3. The Key Usage extension has a value of **Digital Signature, Key Encipherment (a0)**
+
+4. The Enhanced Key Usage extension has values of **Server Authentication** (OID: 1.3.6.1.5.5.7.3.1) and **Client Authentication** (OID: 1.3.6.1.5.5.7.3.2)
+
 
 For clusters that you use for test purposes, you can choose to use a self-signed certificate.