Updated certificate acquisition guidance.

Nicolas Oman · web-flow · commit 56858c9b4d70 · 2020-04-13T10:54:34.000-07:00
Fixes https://github.com/MicrosoftDocs/azure-docs/issues/46065 and https://github.com/MicrosoftDocs/azure-docs/issues/46076
diff --git a/articles/service-fabric/service-fabric-cluster-change-cert-thumbprint-to-cn.md b/articles/service-fabric/service-fabric-cluster-change-cert-thumbprint-to-cn.md
@@ -15,12 +15,12 @@ No two certificates can have the same thumbprint, which makes cluster certificat
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 
 ## Get a certificate
-First, get a certificate from a [certificate authority (CA)](https://wikipedia.org/wiki/Certificate_authority).  The common name of the certificate should be the host name of the cluster.  For example, "myclustername.southcentralus.cloudapp.azure.com".  
+First, get a certificate from a [certificate authority (CA)](https://wikipedia.org/wiki/Certificate_authority).  The common name of the certificate should be for the custom domain you own, and bought from a domain registrar. For example, "azureservicefabricbestpractices.com"; those whom are not Microsoft employees can not provision certs for MS domains, so you can not use the DNS names of your LB or Traffic Manager as common names for your certificate, and you will need to provision a [Azure DNS Zone](https://docs.microsoft.com/azure/dns/dns-delegate-domain-azure-dns) if your custom domain to be resolvable in Azure. You will also want to declare your custom domain you own as your cluster's "managementEndpoint" if you want portal to reflect the custom domain alias for your cluster.
 
 For testing purposes, you could get a CA signed certificate from a free or open certificate authority.
 
 > [!NOTE]
-> Self-signed certificates, including those generated when deploying a Service Fabric cluster in the Azure portal, are not supported.
+> Self-signed certificates, including those generated when deploying a Service Fabric cluster in the Azure portal, are not supported. 
 
 ## Upload the certificate and install it in the scale set
 In Azure, a Service Fabric cluster is deployed on a virtual machine scale set.  Upload the certificate to a key vault and then install it on the virtual machine scale set that the cluster is running on.
