jesusbar review

Author: kgremban

articles/iot-dps/concepts-x509-attestation.md

@@ -49,7 +49,23 @@ Imagine that Contoso is a large corporation with its own Public Key Infrastructu
 
 A *leaf certificate*, or *end-entity certificate*, identifies a certificate holder. It has the root certificate in its certificate chain and zero or more intermediate certificates. A leaf certificate is not used to sign any other certificates. It uniquely identifies a device to the provisioning service and is sometimes referred to as a *device certificate*. During authentication, a device uses the private key associated with its certificate to respond to a proof of possession challenge from the service.
 
-## Use X.509 certificates with DPS
+## Prepare certificates
+
+Devices use two different types of certificates when they connect to IoT Hub through DPS. When preparing your device, make sure you have all the proper certificates created and added to the device before connecting.
+
+* Public root certificates: All devices need a copy of the public root certificates that IoT Hub, IoT Central, and Device Provisioning Service use to authorize connections.
+* Authentication certificates: X.509 certificates are the recommended method for authenticating a device identity.
+
+### Required public root certificates
+
+Azure IoT devices use TLS to verify the authenticity of the IoT hub or DPS endpoint they're connecting to. Each device needs a copy of the root certificate that IoT Hub and DPS use. We recommend that all devices include the following root CAs in their trusted certificate store:
+
+* DigiCert Global G2 root CA
+* Microsoft RSA root CA 2017
+
+For more information about recommended certificate practices, see [TLS support](./tls-support.md).
+
+## Authentication using X.509 certificates
 
 The provisioning service exposes two enrollment types that you can use to control device access with the X.509 attestation mechanism:  
 

articles/iot-dps/tls-support.md

@@ -120,7 +120,7 @@ The following table summarizes which SDK versions support the trusted certificat
 
 ### Certificate pinning
 
-[Certificate pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) and filtering of the TLS server certificates (also known as leaf certificates) and intermediate certificates associated with DPS endpoints is discouraged as Microsoft frequently rolls these certificates with little or no notice. If you must, only pin the root certificates as described in this [Azure IoT blog post](https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169).
+[Certificate pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) and filtering of the TLS server certificates (also known as leaf certificates) and intermediate certificates associated with DPS endpoints is discouraged as Microsoft frequently rolls these certificates with little or no notice. If you must, only pin the root certificates.
 
 ## Use TLS 1.2 in the IoT SDKs
 

articles/iot-hub/iot-hub-tls-support.md

@@ -44,7 +44,7 @@ The following table summarizes which SDK versions support the trusted certificat
 
 ### Certificate pinning
 
-[Certificate pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) and filtering of the TLS server certificates (also known as leaf certificates) and intermediate certificates associated with IoT Hub endpoints is discouraged as Microsoft frequently rolls these certificates with little or no notice. If you must, only pin the root certificates as described in this [Azure IoT blog post](https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169).
+[Certificate pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) and filtering of the TLS server certificates (also known as leaf certificates) and intermediate certificates associated with IoT Hub endpoints is discouraged as Microsoft frequently rolls these certificates with little or no notice. If you must, only pin the root certificates.
 
 ### Elliptic Curve Cryptography (ECC) server TLS certificate (preview)