Skip to content

Commit 4ec58fc

Browse files
authored
Wording re quickstart renew
1 parent c40d61f commit 4ec58fc

File tree

1 file changed

+11
-7
lines changed

1 file changed

+11
-7
lines changed

articles/iot-edge/how-to-manage-device-certificates.md

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,8 @@ All IoT Edge devices use certificates to create secure connections between the r
1717

1818
## Install production certificates
1919

20-
When you first install IoT Edge and provision your device, the device is set up with temporary certificates so that you can test the service.
21-
These temporary certificates expire in 90 days, or can be reset by restarting your machine.
20+
When you first install IoT Edge and provision your device, the device is set up with temporary certificates (known as quickstart CA) so that you can test the service.
21+
These temporary certificates expire in 90 days.
2222
Once you move into a production scenario, or you want to create a gateway device, you need to provide your own certificates.
2323
This article demonstrates the steps to install certificates on your IoT Edge devices.
2424

@@ -213,11 +213,14 @@ If you are using IoT Edge for Linux on Windows, you need to use the SSH key loca
213213

214214
IoT Edge has built-in ability to renew certificates before expiry.
215215

216-
Certificates can only auto-renew if you have a certificate issuance method set, like EST. It must be configured per type of certificate. To configure, go to the relevant certificate configuration section in `config.toml` and add:
216+
Certificates renewal requires an issuance method that IoT Edge can manage. Generally, this means an EST server is required, but IoT Edge can also automatically renew the quickstart CA without configuration. Certificate renewal is configured per type of certificate. To configure, go to the relevant certificate configuration section in `config.toml` and add:
217217

218218
```toml
219219
# To use auto renew with other types of certs, swap `edge_ca` with other certificate types
220220
# And put into the relevant section
221+
[edge_ca]
222+
method = "est"
223+
#...
221224
[edge_ca.auto_renew]
222225
rotate_key = true
223226
threshold = "80%"
@@ -234,20 +237,20 @@ Here:
234237
:::moniker-end
235238
<!-- end iotedge-2020-11 -->
236239

237-
## Customize certificate lifetime
240+
## Customize quickstart CA lifetime
238241

239242
IoT Edge automatically generates certificates on the device in several cases, including:
240243

241244
<!-- 1.1. -->
242245
:::moniker range="iotedge-2018-06"
243-
* If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates a **device CA certificate**. This self-signed certificate is only meant for development and testing scenarios, not production. This certificate expires after 90 days.
246+
* If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates a **device CA certificate**. This self-signed certificate is known as the quickstart CA and only meant for development and testing scenarios, not production. This certificate expires after 90 days.
244247
* The IoT Edge security manager also generates a **workload CA certificate** signed by the device CA certificate
245248
:::moniker-end
246249
<!-- end 1.1 -->
247250

248251
<!-- 1.2 -->
249252
:::moniker range=">=iotedge-2020-11"
250-
If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates an **edge CA certificate**. This self-signed certificate is only meant for development and testing scenarios, not production. This certificate expires after 90 days.
253+
If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates an **edge CA certificate**. This self-signed certificate is known as the quickstart CA and only meant for development and testing scenarios, not production. This certificate expires after 90 days.
251254
:::moniker-end
252255
<!-- end 1.2 -->
253256

@@ -365,7 +368,8 @@ Upon expiry after the specified number of days, IoT Edge has to be restarted to
365368

366369
<!-- 1.2 -->
367370
:::moniker range=">=iotedge-2020-11"
368-
### Renew Edge CA
371+
372+
### Renew quickstart Edge CA
369373

370374
By default, IoT Edge automatically regenerates the Edge CA certificate when at 80% of the certificate lifetime. So for certificate with 90 day lifetime, IoT Edge automatically regenerates the Edge CA certificate at 72 days from issuance.
371375

0 commit comments

Comments
 (0)