Merge pull request #296102 from PatAltimore/patricka-est

Update EST dockerfile and clarify use

Author: v-shils

articles/iot-edge/media/tutorial-configure-est-server/est-procedure.png

@@ -3,7 +3,7 @@ title: Tutorial - Configure Enrollment over Secure Transport Server (EST) for Az
 description: This tutorial shows you how to set up an Enrollment over Secure Transport (EST) server for Azure IoT Edge.
 author: PatAltimore
 ms.author: patricka
-ms.date: 11/07/2024
+ms.date: 03/10/2025
 ms.topic: tutorial
 ms.service: azure-iot-edge
 services: iot-edge
@@ -15,16 +15,14 @@ services: iot-edge
 
 With Azure IoT Edge, you can configure your devices to use an Enrollment over Secure Transport (EST) server to manage x509 certificates.
 
-This tutorial walks you through hosting a test EST server and configuring an IoT Edge device for the enrollment and renewal of x509 certificates. In this tutorial, you learn how to:
+This tutorial walks you through hosting a test EST server and configuring an IoT Edge device for the enrollment and renewal of device identity x509 certificates. In this tutorial, you learn how to:
 
 > [!div class="checklist"]
 >
-> * Create and host a test EST server
+> * Create and host a test EST server for device identity certificates
 > * Configure DPS group enrollment
 > * Configure device
 
-:::image type="content" source="./media/tutorial-configure-est-server/est-procedure.png" alt-text="Diagram showing high-level overview of the three steps needed to complete this tutorial.":::
-
 ## Prerequisites
 
 * An existing IoT Edge device with the [latest Azure IoT Edge runtime](how-to-update-iot-edge.md) installed. If you need to create a test device, complete [Quickstart: Deploy your first IoT Edge module to a virtual Linux device](quickstart-linux.md).
@@ -43,7 +41,9 @@ Enrollment over Secure Transport (EST) is a cryptographic protocol that automate
 For certificate issuance and renewal, you need an EST server accessible to your devices.
 
 > [!IMPORTANT]
-> For enterprise grade solutions, consider: [GlobalSign IoT Edge Enroll](https://www.globalsign.com/en/iot-edge-enroll) or [DigiCert IoT Device Manager](https://www.digicert.com/iot/iot-device-manager).
+> For production, use [GlobalSign IoT Edge Enroll](https://www.globalsign.com/en/iot-edge-enroll) or [DigiCert IoT Device Manager](https://www.digicert.com/iot/iot-device-manager).
+>
+> For more information using GlobalSign's EST service, see [Automatic IoT Edge Certificate Management with GlobalSign EST](https://techcommunity.microsoft.com/blog/iotblog/automatic-iot-edge-certificate-management-with-globalsign-est/4384385).
 
 For testing and development, you can use a test EST server. In this tutorial, we'll create a test EST server.
 
@@ -68,7 +68,7 @@ The Dockerfile uses Ubuntu 18.04, a [Cisco library called `libest`](https://gith
     > If you want to host your EST server in Azure Container Instance, change `myestserver.westus.azurecontainer.io` to the DNS name of your EST server. When choosing a DNS name, be aware the DNS label for an Azure Container instance must be at least five characters in length.
 
     ```dockerfile
-    # DO NOT USE IN PRODUCTION - Use only for testing #
+    # DO NOT USE IN PRODUCTION - Use only for testing 
 
     FROM ubuntu:18.04
 
@@ -83,11 +83,27 @@ The Dockerfile uses Ubuntu 18.04, a [Cisco library called `libest`](https://gith
 
     # Setting the root CA expiration to 20 years
     RUN sed -i "s|-days 365|-days 7300 |g" ./createCA.sh
-     
+    
+    ## If you want to use the EST server to issue Edge CA certificates, 
+    ## uncomment the RUN sed section after this comment block. 
+    ## The sed commands add special extensions for Edge CA certificates. For more information see: 
+    ## https://learn.microsoft.com/azure/iot-edge/how-to-manage-device-certificates?tabs=windows#edge-ca-in-production
+    ##
+    ## IMPORTANT:
+    ##   DO NOT issue Edge CA certificates in production.
+    ##   For production, use digital certificates from a trusted CA.
+    ##   See https://techcommunity.microsoft.com/blog/iotblog/automatic-iot-edge-certificate-management-with-globalsign-est/4384385
+    ##
+    ##   Using EST for Edge CA is for demonstration and learning purposes only.
+    ##
+    # RUN sed -i "s|basicConstraints=CA:FALSE|basicConstraints=critical,CA:TRUE,pathlen:0|g" ./estExampleCA.cnf && \
+    #     sed -i "s|keyUsage=digitalSignature|keyUsage=critical,digitalSignature,keyCertSign|g" ./estExampleCA.cnf && \
+    #     sed -i "s|authorityKeyIdentifier=keyid|authorityKeyIdentifier=keyid:always|g" ./estExampleCA.cnf
+
     ## If you want to host your EST server remotely (for example, an Azure Container Instance),
     ## change myestserver.westus.azurecontainer.io to the fully qualified DNS name of your EST server
     ## OR, change the IP address
-    ## and uncomment the corresponding line.
+    ## and uncomment the corresponding lines.
     # RUN sed -i "s|DNS.2 = ip6-localhost|DNS.2 = myestserver.westus.azurecontainer.io|g" ./ext.cnf
     # RUN sed -i "s|IP.2 = ::1|IP.2 = <YOUR EST SERVER IP ADDRESS>|g" ./ext.cnf