Merge pull request #262595 from kgremban/jan5-baltimore

Latest baltimore updates

Author: prmerger-automator[bot]

articles/iot-hub/iot-hub-tls-support.md

@@ -5,7 +5,7 @@
  author: kgremban
  ms.service: iot-hub
  ms.topic: conceptual
- ms.date: 06/29/2021
+ ms.date: 01/05/2024
  ms.author: kgremban
 ---
 
@@ -17,20 +17,35 @@ TLS 1.0 and 1.1 are considered legacy and are planned for deprecation. For more
 
 ## IoT Hub's server TLS certificate
 
-During a TLS handshake, IoT Hub presents RSA-keyed server certificates to connecting clients. Its' root is the Baltimore Cybertrust Root CA. Because the Baltimore root is at end-of-life, we'll be migrating to a new root called DigiCert Global G2. This change will impact all devices currently connecting to IoT Hub. To prepare for this migration and for all other details, see [IoT TLS certificate update](https://aka.ms/iot-ca-updates).
+During a TLS handshake, IoT Hub presents RSA-keyed server certificates to connecting clients.In the past, the certificates were all rooted from the Baltimore Cybertrust Root CA. Because the Baltimore root is at end-of-life, we are in the process of migrating to a new root called DigiCert Global G2. This migration impacts all devices currently connecting to IoT Hub. For more information, see [IoT TLS certificate update](https://aka.ms/iot-ca-updates).
+
+Although root CA migrations are rare, for resilience in the modern security landscape you should prepare your IoT scenario for the unlikely event that a root CA is compromised or an emergency root CA migration is necessary. We strongly recommend that all devices trust the following three root CAs:
+
+* Baltimore CyberTrust root CA
+* DigiCert Global G2 root CA
+* Microsoft RSA root CA 2017
+
+For links to download these certificates, see [Azure Certificate Authority details](../security/fundamentals/azure-CA-details.md).
 
 ### Elliptic Curve Cryptography (ECC) server TLS certificate (preview)
 
-IoT Hub ECC server TLS certificate is available for public preview. While offering similar security to RSA certificates, ECC certificate validation (with ECC-only cipher suites) uses up to 40% less compute, memory, and bandwidth. These savings are important for IoT devices because of their smaller profiles and memory, and to support use cases in network bandwidth limited environments. The ECC server certificate's root is DigiCert Global Root G3.
+IoT Hub ECC server TLS certificate is available for public preview. While offering similar security to RSA certificates, ECC certificate validation (with ECC-only cipher suites) uses up to 40% less compute, memory, and bandwidth. These savings are important for IoT devices because of their smaller profiles and memory, and to support use cases in network bandwidth limited environments.
+
+We strongly recommend that all devices using ECC trust the following two root CAs:
+
+* DigiCert Global G3 root CA
+* Microsoft RSA root CA 2017
+
+For links to download these certificates, see [Azure Certificate Authority details](../security/fundamentals/azure-CA-details.md).
 
 To preview IoT Hub's ECC server certificate:
 
 1. [Create a new IoT hub with preview mode on](iot-hub-preview-mode.md).
 1. [Configure your client](#tls-configuration-for-sdk-and-iot-edge) to include *only* ECDSA cipher suites and *exclude* any RSA ones. These are the supported cipher suites for the ECC certificate public preview:
-    - `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
-    - `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
-    - `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
-    - `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
+   * `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
+   * `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
+   * `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
+   * `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
 1. Connect your client to the preview IoT hub.
 
 ## TLS 1.2 enforcement available in select regions

articles/iot-hub/migrate-tls-certificate.md

@@ -7,7 +7,7 @@ author: kgremban
 ms.author: kgremban
 ms.service: iot-hub
 ms.topic: how-to
-ms.date: 11/03/2023
+ms.date: 01/16/2024
 ---
 
 # Migrate IoT Hub resources to a new TLS certificate root
@@ -23,9 +23,9 @@ You should start planning now for the effects of migrating your IoT hubs to the
 
 ## Timeline
 
-The IoT Hub team began migrating IoT hubs in February, 2023 and the migration is complete except for hubs that have already been approved for a later migration. If your IoT hub is found to be using the Baltimore certificate without an agreement in place with the product team, your hub will be migrated without any further notice.
+The IoT Hub migration is complete except for hubs that have already been approved for an extension. If your IoT hub is found to be using the Baltimore certificate without an agreement in place with the product team, your hub will be migrated without any further notice.
 
-After all IoT hubs have migrated, DPS will perform its migration between January 15 and February 15, 2024.
+After all IoT hubs have migrated, DPS will perform its migration between January 15 and September 30, 2024.
 
 For each IoT hub with an extension agreement in place, you can expect the following:
 
@@ -35,7 +35,7 @@ For each IoT hub with an extension agreement in place, you can expect the follow
 
 ### Request an extension
 
-As of August, 2023 the extension request process is closed for IoT Hub and IoT Central. If your IoT hub is found to be using the Baltimore certificate without an extension agreement in place with the product team, your hub will be migrated without any further notice.
+As of August 2023 the extension request process is closed for IoT Hub and IoT Central. If your IoT hub is found to be using the Baltimore certificate without an extension agreement in place with the product team, your hub will be migrated without any further notice.
 
 ## Required steps
 
@@ -45,6 +45,8 @@ To prepare for the migration, take the following steps:
 
    It's important to have all three certificates on your devices until the IoT Hub and DPS migrations are complete. Keeping the Baltimore CyberTrust Root ensures that your devices will stay connected until the migration, and adding the DigiCert Global Root G2 ensures that your devices will seamlessly switch over and reconnect after the migration. The Microsoft RSA Root Certificate Authority 2017 helps prevent future disruptions in case the DigiCert Global Root G2 is retired unexpectedly.
 
+   For more information about IoT Hub's recommended certificate practices, see [TLS support](./iot-hub-tls-support.md).
+
 2. Make sure that you aren't pinning any intermediate or leaf certificates, and are using the public roots to perform TLS server validation.
 
    IoT Hub and DPS occasionally roll over their intermediate certificate authority (CA). In these instances, your devices will lose connectivity if they explicitly look for an intermediate CA or leaf certificate. However, devices that perform validation using the public roots will continue to connect regardless of any changes to the intermediate CA.
@@ -59,9 +61,9 @@ To know whether an IoT hub has been migrated or not, check the active certificat
 
 1. In the [Azure portal](https://portal.azure.com), navigate to your IoT hub.
 
-1. Select **Certificates** in the **Security settings** section of the navigation menu.
+1. Select **Export template** in the **Automation** section of the navigation menu.
 
-1. If the **Certificate root** is listed as Baltimore CyberTrust, then the hub has not been migrated yet. If it is listed as DigiCert Global G2, then the migration is complete.
+1. Wait for the template to generate, then navigate to the **resources.properties.features** property in the JSON template. If **RootCertificateV2** is listed as a feature, then your hub has been migrated to DigiCert Global G2.
 
 # [Azure CLI](#tab/cli)
 
@@ -102,7 +104,7 @@ Yes, IoT Central uses both IoT Hub and DPS in the backend. The TLS migration wil
 
 You can migrate your application from the Baltimore CyberTrust Root to the DigiCert Global G2 Root on your own schedule. We recommend the following process:
 
-1. **Keep the Baltimore CyberTrust Root on your device until the transition period is completed on 15 February 2024** (necessary to prevent connection interruption). 
+1. **Keep the Baltimore CyberTrust Root on your device until the transition period is completed on September 30, 2024** (necessary to prevent connection interruption). 
 2. **In addition** to the Baltimore Root, ensure the DigiCert Global G2 Root is added to your trusted root store.
 3. Make sure you aren’t pinning any intermediate or leaf certificates and are using the public roots to perform TLS server validation.
 4. In your IoT Central application you can find the Root Certification settings under **Settings** > **Application** > **Baltimore Cybertrust Migration**.  
@@ -120,7 +122,7 @@ Also, as part of the migration, your IoT hub might get a new IP address. If your
 
 ### When can I remove the Baltimore Cybertrust Root from my devices?
 
-You can remove the Baltimore root certificate once all stages of the migration are complete. If you only use IoT Hub, then you can remove the old root certificate after the IoT Hub migration is scheduled to complete on October 15, 2023. If you use Device Provisioning Service or IoT Central, then you need to keep both root certificates on your device until the DPS migration is scheduled to complete on February 15, 2024.
+You can remove the Baltimore root certificate once all stages of the migration are complete. If you only use IoT Hub, then you can remove the old root certificate after the IoT Hub migration is scheduled to complete on October 15, 2023. If you use Device Provisioning Service or IoT Central, then you need to keep both root certificates on your device until the DPS migration is scheduled to complete on September 30, 2024.
 
 ## Troubleshoot