Merge pull request #303688 from shlipsey3/managed-tls-changes-073125

managed-tls-changes-073125

Author: JamesJBarnett

articles/security/fundamentals/TOC.yml

@@ -153,10 +153,8 @@
       href: azure-ca-details.md
     - name: Certificate Pinning
       href: certificate-pinning.md
-    - name: Sunset for SHA-1 OCSP signing
-      href: ocsp-sha-1-sunset.md
-    - name: TLS certificate changes
-      href: tls-certificate-changes.md
+    - name: Managed TLS changes
+      href: managed-tls-changes.md
   - name: Disk encryption
     items: 
     - name: Best practices

articles/security/fundamentals/azure-CA-details.md

@@ -5,11 +5,11 @@ services: security
 ms.service: security
 ms.subservice: security-fundamentals
 ms.custom: devx-track-extended-java
-ms.topic: conceptual
-ms.date: 03/31/2025
+ms.topic: concept-article
+ms.date: 07/31/2025
 ms.author: sarahlipsey
 author: shlipsey3
-manager: femila
+manager: pmwongera
 ms.reviewer: quentinb
 ---
 # Azure Certificate Authority details
@@ -249,7 +249,7 @@ To determine if the **Microsoft ECC Root Certificate Authority 2017** and **Micr
 
 The CA/Browser Forum updated the Baseline Requirements to require all publicly trusted Public Key Infrastructures (PKIs) to end usage of the SHA-1 hash algorithms for Online Certificate Standard Protocol (OCSP) on May 31, 2022. Microsoft updated all remaining OCSP Responders that used the SHA-1 hash algorithm to use the SHA-256 hash algorithm.
 
-Microsoft updated Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs) on February 15, 2021, to comply with changes set forth by the CA/Browser Forum Baseline Requirements. Some services finalized these updates in 2022.
+Microsoft updated Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs) on February 15, 2021, to comply with changes set forth by the CA/Browser Forum Baseline Requirements. Some services finalized these updates in 2022. For the latest information regarding managed TLS and Azure, see [Managed TLS changes](managed-tls-changes.md).
 
 ### Article change log
 

articles/security/fundamentals/managed-tls-changes.md

@@ -0,0 +1,42 @@
+---
+title: Changes to the Managed TLS Feature
+description: Learn about changes to the Azure managed TLS solution and domain control validation process.
+services: security
+ms.service: security
+ms.subservice: security-fundamentals
+ms.topic: concept-article
+ms.date: 07/31/2025
+
+ms.author: sarahlipsey
+author: shlipsey3
+manager: pmwongera
+ms.reviewer: quentinb
+---
+
+# Changes to the managed TLS feature
+
+Azure offers a comprehensive managed TLS solution integrated with services such as Azure Front Door (AFD) and CDN Classic, Azure Front Door Standard/Premium SKU, Azure API Management, Azure App Service, Azure Container Apps, and Azure Static Web Apps. This capability includes managed TLS server certificates for customer vanity domains, provided by DigiCert.
+
+DigiCert is transitioning to a new open-source software (OSS) domain control validation (DCV) platform designed to enhance transparency and accountability in domain validation processes. DigiCert will no longer support the legacy CNAME Delegation DCV workflow for domain control validation in the specified Azure services.
+
+Consequently, these Azure services will be introducing an enhanced domain control validation process, aiming to significantly expedite domain validation and address key vulnerabilities in the user experience.
+
+This change does not impact the standard CNAME DCV process for DigiCert customers, where validation uses a random value in the CNAME record. Only a unique method previously exclusive to Microsoft is being retired.
+
+## Frequently asked questions
+
+**Q: What is domain control validation?**
+
+A: Domain Control Validation (DCV) is a critical process used to verify that an entity requesting a TLS/SSL certificate has legitimate control over the domain(s) listed in the certificate.
+
+**Q: Is support for vanity domains being retired?**
+
+A: No. The feature is very much supported and in fact is receiving several key updates that improve the overall user experience.
+
+> [!NOTE]
+> AFD classic and CDN Classic SKUs, which are on the path to deprecation, are retiring support for adding new vanity domains. For more information, see [Azure Front Door (classic) and Azure CDN from Microsoft Classic SKU ending CNAME based domain validation and new domain/profile creations by August 15, 2025](https://azure.microsoft.com/updates?id=498522). Customers are recommended to use managed certificates with AFD Standard and Premium SKUs for new vanity domains.
+
+**Q: Is DigiCert retiring CNAME domain control validation?**
+
+A: No. Only this specific CNAME validation method unique to Azure services is being retired. The CNAME DCV method used by DigiCert customers, such as the one described for DigiCert [OV/EV certificates](https://docs.digicert.com/en/certcentral/manage-certificates/supported-dcv-methods-for-validating-the-domains-on-ov-ev-tls-ssl-certificate-orders/use-the-dns-cname-validation-method-to-verify-domain-control.html) and [DV certificates](https://docs.digicert.com/en/certcentral/manage-certificates/dv-certificate-enrollment/domain-control-validation--dcv--methods/use-the-dns-cname-dcv-method.html) is not impacted. Only Azure is impacted by this change.
+