Merge pull request #299673 from dominicbetts/aio-2505-certificates

AIO 2505 release: certificates UI

Author: v-ccolin

articles/iot-operations/.openpublishing.redirection.iot-operations.json

@@ -477,13 +477,13 @@
         },
         {
             "source_path_from_root": "/articles/iot-operations/manage-mqtt-broker/concept-default-root-ca.md",
-            "redirect_url": "/azure/iot-operations/secure-iot-ops/concept-default-root-ca",
+            "redirect_url": "/azure/iot-operations/secure-iot-ops/howto-manage-certificates",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/iot-operations/deploy-iot-ops/concept-default-root-ca.md",
-            "redirect_url": "/azure/iot-operations/secure-iot-ops/concept-default-root-ca",
-            "redirect_document_id": true
+            "redirect_url": "/azure/iot-operations/secure-iot-ops/howto-manage-certificates",
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/iot-operations/get-started-end-to-end-sample/quickstart-add-assets.md",
@@ -549,6 +549,11 @@
             "source_path_from_root": "/articles/iot-operations/reference/observability-metrics-akri.md",
             "redirect_url": "/azure/iot-operations/reference/observability-metrics-opcua-broker",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/iot-operations/secure-iot-ops/concept-default-root-ca.md",
+            "redirect_url": "/azure/iot-operations/secure-iot-ops/howto-manage-certificates",
+            "redirect_document_id": true
         }
     ]
 }

articles/iot-operations/connect-to-cloud/howto-configure-mqtt-endpoint.md

@@ -38,7 +38,7 @@ The default endpoint uses the following settings:
 - Host: `aio-broker:18883` through the [default MQTT broker listener](../manage-mqtt-broker/howto-configure-brokerlistener.md#default-brokerlistener)
 - Authentication: service account token (SAT) through the [default BrokerAuthentication resource](../manage-mqtt-broker/howto-configure-authentication.md#default-brokerauthentication-resource)
 - TLS: Enabled
-- Trusted CA certificate: The default CA certificate `azure-iot-operations-aio-ca-trust-bundle` from the [default root CA](../deploy-iot-ops/concept-default-root-ca.md)
+- Trusted CA certificate: The default CA certificate `azure-iot-operations-aio-ca-trust-bundle` from the [default root CA](../secure-iot-ops/howto-manage-certificates.md#default-self-signed-issuer-and-root-ca-certificate-for-tls-server-certificates)
 
 > [!CAUTION]
 > Don't delete the default endpoint. If you delete the default endpoint, you must recreate it with the same settings.

articles/iot-operations/deploy-iot-ops/concept-production-guidelines.md

@@ -14,7 +14,7 @@ ms.service: azure-iot-operations
 
 Security and scalability are a priority for deploying Azure IoT Operations. This article outlines guidelines that you should take into consideration when setting up Azure IoT Operations for production.
 
-Decide whether you're deploying Azure IoT Operations to a single-node or multi-node cluster before considering the appropriate configuration. Many of the guidelines in this article apply regardless of the cluster type, but when there is a difference it's called out specifically.
+Decide whether you're deploying Azure IoT Operations to a single-node or multi-node cluster before considering the appropriate configuration. Many of the guidelines in this article apply regardless of the cluster type, but when there's a difference it's called out specifically.
 
 ## Platform
 
@@ -30,17 +30,17 @@ Create an Arc-enabled K3s cluster that meets the system requirements.
 
 * Use a [supported environment for Azure IoT Operations](../overview-iot-operations.md#supported-environments).
 * [Configure the cluster](./howto-prepare-cluster.md) according to documentation.
-* If you expect intermittent connectivity for your cluster, ensure that you've allocated enough disk space to the cluster cache data and messages while the [cluster is offline](../overview-iot-operations.md#offline-support).
+* If you expect intermittent connectivity for your cluster, ensure that you allocate enough disk space to the cluster cache data and messages while the [cluster is offline](../overview-iot-operations.md#offline-support).
 * If possible, have a second cluster as a staging area for testing new changes before deploying to the primary production cluster.
-* [Turn off auto-upgrade for Azure Arc](/azure/azure-arc/kubernetes/agent-upgrade#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) to have complete control over when new updates are applied to your cluster. Instead, [manually upgrade agents](/azure/azure-arc/kubernetes/agent-upgrade#manually-upgrade-agents) as needed.
+* [Turn off autoupgrade for Azure Arc](/azure/azure-arc/kubernetes/agent-upgrade#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) to have complete control over when new updates are applied to your cluster. Instead, [manually upgrade agents](/azure/azure-arc/kubernetes/agent-upgrade#manually-upgrade-agents) as needed.
 * *For multi-node clusters*: [Configure clusters with Edge Volumes](./howto-prepare-cluster.md#configure-multi-node-clusters-for-azure-container-storage) to prepare for enabling fault tolerance during deployment.
 
 ### Security
 
 Consider the following measures to ensure your cluster setup is secure before deployment.
 
 * [Validate images](../secure-iot-ops/howto-validate-images.md) to ensure they're signed by Microsoft.
-* When doing TLS encryption, [bring your own issuer](../secure-iot-ops/concept-default-root-ca.md#bring-your-own-issuer) and integrate with an enterprise PKI.
+* When doing TLS encryption, [bring your own issuer](../secure-iot-ops/howto-manage-certificates.md#bring-your-own-issuer) and integrate with an enterprise PKI.
 * [Use secrets](../secure-iot-ops/howto-manage-secrets.md) for on-premises authentication.
 * Use [user-assigned managed identities](./howto-enable-secure-settings.md#set-up-a-user-assigned-managed-identity-for-cloud-connections) for cloud connections.
 * Keep your cluster and Azure IoT Operations deployment up to date with the latest patches and minor releases to get all available security and bug fixes.
@@ -127,7 +127,7 @@ When you create a new resource, manage its authorization:
 For connecting to assets at production, [configure OPC UA authentication](../discover-manage-assets/overview-opcua-broker-certificates-management.md):
 
 * Don't use no-auth. Connectivity to OPC UA servers isn't supported without authentication.
-* Set up a secure connection to OPC UA server. Use a production PKI and [configure application certificates](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md#configure-a-self-signed-application-instance-certificate) and [trust list](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md#configure-the-trusted-certificates-list).
+* Set up a secure connection to OPC UA server. Use a production PKI and [configure application certificates](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md#configure-a-self-signed-application-instance-certificate-for-the-connector-for-opc-ua) and [trust list](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md#configure-the-trusted-certificates-list).
 
 ### Data flows
 

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md

@@ -52,7 +52,7 @@ A cluster host:
 
 * (Optional) Prepare your cluster for observability before deploying Azure IoT Operations: [Configure observability](../configure-observability-monitoring/howto-configure-observability.md).
 
-* (Optional) Configure your own certificate authority issuer before deploying Azure IoT Operations: [Bring your own issuer](../secure-iot-ops/concept-default-root-ca.md#bring-your-own-issuer).
+* (Optional) Configure your own certificate authority issuer before deploying Azure IoT Operations: [Bring your own issuer](../secure-iot-ops/howto-manage-certificates.md#bring-your-own-issuer).
 
 ## Deploy
 
@@ -140,7 +140,7 @@ Use these steps if you chose the **Test settings** option on the **Dependency ma
    1. Prepare the cluster for Azure IoT Operations deployment. Copy and run the provided [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init) command.
 
       >[!TIP]
-      >The `init` command only needs to be run once per cluster. If you followed the optional prerequisite to set up your own certificate authority issuer, follow the steps in [Bring your own issuer](../secure-iot-ops/concept-default-root-ca.md#bring-your-own-issuer).
+      >The `init` command only needs to be run once per cluster. If you followed the optional prerequisite to set up your own certificate authority issuer, follow the steps in [Bring your own issuer](../secure-iot-ops/howto-manage-certificates.md#bring-your-own-issuer).
 
       This command might take several minutes to complete. You can watch the progress in the deployment progress display in the terminal.
 

articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md

@@ -35,7 +35,7 @@ This article provides instructions for enabling secure settings if you didn't do
 
 ## Enable the cluster for secure settings
 
-To enable secrets synchronization for your Azure IoT Operations instance, your cluster must be enabled as an OIDC issuer and for workload identity federation. This configuration is required for the Secret Store extension to sync the secrets from an Azure Key Vault and store them on the edge as Kubernetes secrets.
+To enable secrets synchronization for your Azure IoT Operations instance, your cluster must be enabled as an OIDC issuer and for workload identity federation. This configuration is required for the [Azure Key Vault Secret Store extension](/azure/azure-arc/kubernetes/secret-store-extension) to sync the secrets from an Azure Key Vault and store them on the edge as Kubernetes secrets.
 
 For Azure Kubernetes Service (AKS) clusters, the OIDC issuer and workload identity features can be enabled only at the time of cluster creation. For clusters on AKS Edge Essentials, the automated script enables these features by default. For AKS clusters on Azure Local, follow the steps to [Deploy and configure workload identity on an AKS enabled by Azure Arc cluster](/azure/aks/aksarc/workload-identity) to create a new cluster if you don't have one with the required features.
 
@@ -90,7 +90,7 @@ Secrets management for Azure IoT Operations uses the Secret Store extension to s
 To set up secrets management:
 
 1. [Create an Azure Key Vault](/azure/key-vault/secrets/quick-create-cli#create-a-key-vault) that's used to store secrets, and [give your user account permissions to manage secrets](/azure/key-vault/secrets/quick-create-cli#give-your-user-account-permissions-to-manage-secrets-in-key-vault) with the `Key Vault Secrets Officer` role.
-1. [Create a user-assigned managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) for the *secret store* extension to use to access the key vault.
+1. [Create a user-assigned managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) for the Secret Store extension to use to access the key vault.
 1. Use the [az iot ops secretsync enable](/cli/azure/iot/ops/secretsync#az-iot-ops-secretsync-enable) command to set up the Azure IoT Operations instance for secret synchronization. This command:
 
     - Creates a federated identity credential by using the user-assigned managed identity.

articles/iot-operations/deploy-iot-ops/howto-prepare-cluster.md

@@ -345,7 +345,7 @@ Connect your cluster to Azure Arc so that it can be managed remotely.
 At this point, when you have an Azure Arc-enabled Kubernetes cluster but before you deploy Azure IoT Operations to it, you might want to configure your cluster for advanced scenarios.
 
 * If you want to enable observability features on the cluster, follow the steps in [Deploy observability resources and set up logs](../configure-observability-monitoring/howto-configure-observability.md).
-* If you want to configure your own certificate issuer on the cluster, follow the steps in [Certificate management > Bring your own issuer](../secure-iot-ops/concept-default-root-ca.md#bring-your-own-issuer).
+* If you want to configure your own certificate issuer on the cluster, follow the steps in [Certificate management > Bring your own issuer](../secure-iot-ops/howto-manage-certificates.md#bring-your-own-issuer).
 
 ## Next steps
 

articles/iot-operations/discover-manage-assets/concept-assets-asset-endpoints.md

@@ -1,11 +1,11 @@
 ---
 title: Understand assets and asset endpoint profiles
 description: Understand the Azure Device Registry resources that define assets and asset endpoint profiles.
-author: SoniaLopezBravo
-ms.author: sonialopez
+author: dominicbetts
+ms.author: dobett
 #ms.subservice:
 ms.topic: conceptual
-ms.date: 10/22/2024
+ms.date: 05/12/2025
 
 # CustomerIntent: As an industrial edge IT or operations user, I want to understand the types of Azure resources that are created by Azure Device Registry to manage assets.
 ---
@@ -43,6 +43,8 @@ The following table highlights some important properties that are included in an
 | **Target address** | The local IP address of the OPC UA server or IP camera. |
 | **User authentication** | Can be anonymous authentication or username/password authentication. For username/password authentication, provide pointers to where both values are stored as secrets in Azure Key Vault. |
 
+To learn more about how Azure IoT Operations uses Azure Key Vault to store secrets such as usernames and passwords, see [Manage secrets for your Azure IoT Operations deployment](../secure-iot-ops/howto-manage-secrets.md).
+
 ## Assets
 
 An *asset* is a logical entity that represents a device or component in the cloud as an Azure Resource Manager resource and at the edge as a Kubernetes custom resource. When you create an asset, you can define its metadata and the datapoints (also called tags) and events that it emits.

articles/iot-operations/discover-manage-assets/howto-configure-opcua-authentication-options.md

@@ -22,7 +22,7 @@ To learn more, see [OPC UA applications - user authentication](https://reference
 
 ## Prerequisites
 
-A deployed instance of Azure IoT Operations with [Manage Synced Secrets](../deploy-iot-ops/howto-manage-secrets.md#manage-synced-secrets) enabled.
+- An Azure IoT Operations instance deployed with secure settings. If you deployed Azure IoT Operations with test settings, you need to first [enable secure settings](../deploy-iot-ops/howto-enable-secure-settings.md).
 
 ## Features supported
 
@@ -53,3 +53,5 @@ To configure the secrets for the *username* and *password* values in the [operat
     > You have the option to create new secrets in Azure Key Vault if you haven't already added them.
 
 1. Select **Apply**.
+
+To learn more about how Azure IoT Operations uses Azure Key Vault to store secrets such as usernames and passwords, see [Manage secrets for your Azure IoT Operations deployment](../secure-iot-ops/howto-manage-secrets.md).