Merge pull request #280017 from johnmarco/jm-arc-change-esu-certs

Arc servers: Changes ESUs certs info

Author: denrea

articles/azure-arc/servers/prepare-extended-security-updates.md

@@ -1,7 +1,7 @@
 ---
 title: How to prepare to deliver Extended Security Updates for Windows Server 2012 through Azure Arc
 description: Learn how to prepare to deliver Extended Security Updates for Windows Server 2012 through Azure Arc.
-ms.date: 01/03/2024
+ms.date: 07/03/2024
 ms.topic: conceptual
 ---
 
@@ -68,6 +68,17 @@ Connectivity options include public endpoint, proxy server, and private link or
 > [!TIP]
 > To take advantage of the full range of offerings for Arc-enabled servers, such as extensions and remote connectivity, ensure that you allow the additional URLs that apply to your scenario. For more information, see [Connected machine agent networking requirements](network-requirements.md).
 
+## Required Certificate Authorities
+
+The following [Certificate Authorities](/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list) are required for Extended Security Updates for Windows Server 2012:
+
+- [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt)
+- [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt)
+- [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt)
+- [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt)
+
+If necessary, these Certificate Authorities can be [manually download and installed](troubleshoot-extended-security-updates.md#option-2-manually-download-and-install-the-intermediate-ca-certificates).
+
 ## Next steps
 
 * Find out more about [planning for Windows Server and SQL Server end of support](https://www.microsoft.com/en-us/windows-server/extended-security-updates) and [getting Extended Security Updates](/windows-server/get-started/extended-security-updates-deploy).

articles/azure-arc/servers/troubleshoot-extended-security-updates.md

@@ -1,7 +1,7 @@
 ---
 title: How to troubleshoot delivery of Extended Security Updates for Windows Server 2012 through Azure Arc
 description: Learn how to troubleshoot delivery of Extended Security Updates for Windows Server 2012 through Azure Arc.
-ms.date: 05/22/2024
+ms.date: 07/03/2024
 ms.topic: conceptual
 ---
 
@@ -79,20 +79,18 @@ Once the network changes are made to allow access to the PKI URL, try installing
 If you're unable to allow access to the PKI URL from your servers, you can manually download and install the certificates on each machine.
 
 1. On any computer with internet access, download these intermediate CA certificates:
-    1. [Microsoft Azure TLS Issuing CA 01](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001%20-%20xsign.crt)
-    1. [Microsoft Azure TLS Issuing CA 02](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002%20-%20xsign.crt)
-    1. [Microsoft Azure TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2005%20-%20xsign.crt)
-    1. [Microsoft Azure TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2006%20-%20xsign.crt)
+    1. [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt)
     1. [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt)
+    1. [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt)
+    1. [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt)
 1. Copy the certificate files to your Windows Server 2012 (R2) machines.
 1. Run any one set of the following commands in an elevated command prompt or PowerShell session to add the certificates to the "Intermediate Certificate Authorities" store for the local computer. The command should be run from the same directory as the certificate files. The commands are idempotent and won't make any changes if you've already imported the certificate:
 
     ```
-    certutil -addstore CA "Microsoft Azure TLS Issuing CA 01 - xsign.crt"
-    certutil -addstore CA "Microsoft Azure TLS Issuing CA 02 - xsign.crt"
-    certutil -addstore CA "Microsoft Azure TLS Issuing CA 05 - xsign.crt"
-    certutil -addstore CA "Microsoft Azure TLS Issuing CA 06 - xsign.crt"
+    certutil -addstore CA "Microsoft Azure RSA TLS Issuing CA 03 - xsign.crt"
     certutil -addstore CA "Microsoft Azure RSA TLS Issuing CA 04 - xsign.crt"
+    certutil -addstore CA "Microsoft Azure RSA TLS Issuing CA 07 - xsign.crt"
+    certutil -addstore CA "Microsoft Azure RSA TLS Issuing CA 08 - xsign.crt"
     ```
 
 1. Try installing the Windows updates again. You may need to reboot your computer for the validation logic to recognize the newly imported intermediate CA certificates.