Merge pull request #271656 from PatAltimore/patricka-est-icm

prmerger-automator[bot] · web-flow · commit 47393a61c676 · 2024-04-09T21:25:59.000Z
Clarify EST auto-renew settings
diff --git a/articles/iot-edge/how-to-manage-device-certificates.md b/articles/iot-edge/how-to-manage-device-certificates.md
@@ -5,7 +5,7 @@ description: How to install and manage certificates on an Azure IoT Edge device
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 03/19/2024
+ms.date: 04/09/2024
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge
@@ -597,6 +597,8 @@ threshold = "80%"
 retry = "4%"
 ```
 
+Automatic renewal for Edge CA must be enabled when issuance method is set to EST. Edge CA expiration must be avoided as it breaks many IoT Edge functionalities. If a situation requires total control over Edge CA certificate lifecycle, use the [manual Edge CA management method](#example-use-edge-ca-certificate-files-from-pki-provider) instead.
+
 Don't use EST or `auto_renew` with other methods of provisioning, including manual X.509 provisioning with IoT Hub and DPS with individual enrollment. IoT Edge can't update certificate thumbprints in Azure when a certificate is renewed, which prevents IoT Edge from reconnecting.
 
 ### Example: automatic Edge CA management with EST
@@ -612,19 +614,13 @@ url = "https://ca.example.org/.well-known/est"
 
 bootstrap_identity_cert = "file:///var/aziot/my-est-id-bootstrap-cert.pem"
 bootstrap_identity_pk = "file:///var/aziot/my-est-id-bootstrap-pk.key.pem"
-```
-
-By default, and when there's no specific `auto_renew` configuration, Edge CA automatically renews at 80% certificate lifetime if EST is set as the method. You can update the auto renewal values to other values. For example:
 
-```toml
 [edge_ca.auto_renew]
 rotate_key = true
 threshold = "90%"
 retry = "2%"
 ```
 
-Automatic renewal for Edge CA can't be disabled when issuance method is set to EST, since Edge CA expiration must be avoided as it breaks many IoT Edge functionalities. If a situation requires total control over Edge CA certificate lifecycle, use the [manual Edge CA management method](#example-use-edge-ca-certificate-files-from-pki-provider) instead.
-
 ## Module server certificates
 
 Edge Daemon issues module server and identity certificates for use by Edge modules. It remains the responsibility of Edge modules to renew their identity and server certificates as needed.
