Merge branch 'patch-61' of https://github.com/jessie-jyy/azure-docs-pr into afd-cert

Author: halkazwini

articles/cdn/cdn-custom-ssl.md

@@ -54,10 +54,6 @@ Before you can complete the steps in this tutorial, create a CDN profile and at
 
 Associate an Azure CDN custom domain on your CDN endpoint. For more information, see [Tutorial: Add a custom domain to your Azure CDN endpoint](cdn-map-content-to-custom-domain.md).
 
-> [!IMPORTANT]
-> CDN-managed certificates are not available for root or apex domains. If your Azure CDN custom domain is a root or apex domain, you must use the Bring your own certificate feature.
->
-
 ---
 
 ## TLS/SSL certificates
@@ -66,11 +62,13 @@ To enable HTTPS on an Azure CDN custom domain, you use a TLS/SSL certificate. Yo
 
 # [Option 1 (default): Enable HTTPS with a CDN-managed certificate](#tab/option-1-default-enable-https-with-a-cdn-managed-certificate)
 
-Azure CDN handles certificate management tasks such as procurement and renewal. After you enable the feature, the process starts immediately.
-
-If the custom domain is already mapped to the CDN endpoint, no further action is needed. Azure CDN processes the steps and completes your request automatically.
+Using a certificate managed by Azure CDN allows you to enable HTTPS with a few settings changes. Azure CDN handles all certificate management tasks, including procurement and renewal. This is supported for custom domains with direct CNAME to Azure CDN endpoint.
+> [!IMPORTANT]
 
-If your custom domain is mapped elsewhere, use email to validate your domain ownership.
+> - As of May 8, 2025, DigiCert no longer supports the WHOIS-based domain validation method. Hence, if your domains with indirect CNAME to Azure CDN endpoint, you must use the Bring your own certificate feature.
+> - Due to the WHOIS-based domain validation, managed certificate issued using WHOIS-based domain validation can't be auto renewed until you have direct CNAME pointed to Azure CDN.
+> - CDN-managed certificates are not available for root or apex domains. If your Azure CDN custom domain is a root or apex domain, you must use the Bring your own certificate feature.
+> - Managed certificate autorenewal requires that your custom domain be directly mapped to your CDN endpoint by a CNAME record.
 
 To enable HTTPS on a custom domain, follow these steps:
 
@@ -143,12 +141,6 @@ Follow the steps in [Configure managed identity for Azure CDN](managed-identity.
 
 ## Validate the domain
 
-If you have a custom domain in use mapped to your custom endpoint with a CNAME record or you're using your own certificate, continue to [Custom domain mapped to your Content Delivery Network endpoint](#custom-domain-is-mapped-to-your-cdn-endpoint-by-a-cname-record).
-
-Otherwise, if the CNAME record entry for your endpoint no longer exists or it contains the cdnverify subdomain, continue to [Custom domain not mapped to your CDN endpoint](#custom-domain-isnt-mapped-to-your-cdn-endpoint).
-
-### Custom domain is mapped to your CDN endpoint by a CNAME record
-
 When you added a custom domain to your endpoint, you created a CNAME record in the DNS domain registrar mapped to your CDN endpoint hostname.
 
 If that CNAME record still exists and doesn't contain the cdnverify subdomain, the DigiCert CA uses it to automatically validate ownership of your custom domain.
@@ -166,44 +158,12 @@ Your CNAME record should be in the following format:
 
 For more information about CNAME records, see [Create the CNAME DNS record](./cdn-map-content-to-custom-domain.md).
 
-If your CNAME record is in the correct format, DigiCert automatically verifies your custom domain name and creates a certificate for your domain. DigitCert doesn't send you a verification email and you don't need to approve your request. The certificate is valid for one year and will be autorenewed before it expires. Continue to [Wait for propagation](#wait-for-propagation).
-
-Automatic validation typically takes a few hours. If you don't see your domain validated in 24 hours, open a support ticket.
+If your CNAME record is in the correct format, DigiCert automatically verifies your custom domain name and creates a certificate for your domain. The certificate is valid for one year and will be autorenewed before it expires. Automatic validation typically takes a few hours. If you don't see your domain validated in 24 hours, open a support ticket.
+Continue to [Wait for propagation](#wait-for-propagation).
 
 >[!NOTE]
 > If you have a Certificate Authority Authorization (CAA) record with your DNS provider, it must include the appropriate CAs for authorization. DigiCert is the CA for Azure CDN profiles. For information about managing CAA records, see [Manage CAA records](https://support.dnsimple.com/articles/manage-caa-record/). For a CAA record tool, see [CAA Record Helper](https://sslmate.com/caa/).
 
-### Custom domain isn't mapped to your CDN endpoint
-
-If the CNAME record entry contains the cdnverify subdomain, follow the rest of the instructions in this step.
-
-DigiCert sends a verification email to the following email addresses. Verify that you can approve directly from one of the following addresses:
-
-- **[email protected]**
-- **[email protected]**
-- **[email protected]**
-- **[email protected]**
-- **[email protected]**
-
-You should receive an email in a few minutes for you to approve the request. In case you're using a spam filter, add [email protected] to its allowlist. If you don't receive an email within 24 hours, contact Microsoft support.
-
-:::image type="content" source="./media/cdn-custom-ssl/domain-validation-email.png" alt-text="Screenshot of the domain validation email.":::
-
-When you select the approval link, you're directed to the following online approval form:
-
-:::image type="content" source="./media/cdn-custom-ssl/domain-validation-form.png" alt-text="Screenshot of the domain validation form.":::
-
-Follow the instructions on the form; you have two verification options:
-
-- You can approve all future orders placed through the same account for the same root domain; for example, contoso.com. This approach is recommended if you plan to add other custom domains for the same root domain.
-
-- You can approve just the specific host name used in this request. Another approval is required for later requests.
-
-After approval, DigiCert completes the certificate creation for your custom domain name. The certificate is valid for one year.  If the CNAME record for your custom domain is added or updated to map to your endpoint hostname after verification, then it will be autorenewed before it's expired.
-
->[!NOTE]
-> Managed certificate autorenewal requires that your custom domain be directly mapped to your CDN endpoint by a CNAME record.
-
 ## Wait for propagation
 
 After the domain name is validated, it can take up to 6-8 hours for the custom domain HTTPS feature to be activated. When the process completes, the custom HTTPS status in the Azure portal is changed to **Enabled**. The four operation steps in the custom domain dialog are marked as complete. Your custom domain is now ready to use HTTPS.