Merge pull request #284090 from PatAltimore/patricka-uuf-edge-ca

prmerger-automator[bot] · web-flow · commit 91ad8cd6ac7c · 2024-08-08T21:33:18.000Z
Update Edge CA cert naming
diff --git a/articles/iot-edge/how-to-connect-downstream-device.md b/articles/iot-edge/how-to-connect-downstream-device.md
@@ -4,7 +4,7 @@ description: How to configure downstream devices to connect to Azure IoT Edge ga
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 06/10/2024
+ms.date: 08/07/2024
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge
@@ -47,7 +47,7 @@ Acquire the following to prepare your downstream device:
 
 * A root CA certificate file.
 
-  This file was used to generate the device CA certificate in [Configure an IoT Edge device to act as a transparent gateway](how-to-create-transparent-gateway.md), which is available on your downstream device. 
+  This file was used to generate the Edge CA certificate in [Configure an IoT Edge device to act as a transparent gateway](how-to-create-transparent-gateway.md), which is available on your downstream device. 
 
   Your downstream device uses this certificate to validate the identity of the gateway device. This trusted certificate validates the transport layer security (TLS) connections to the gateway device. See usage details in the [Provide the root CA certificate](#provide-the-root-ca-certificate) section.
 
diff --git a/articles/iot-edge/how-to-connect-downstream-iot-edge-device.md b/articles/iot-edge/how-to-connect-downstream-iot-edge-device.md
@@ -4,7 +4,7 @@ description: How to create a trusted connection between an IoT Edge gateway and
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 05/15/2024
+ms.date: 08/07/2024
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge
@@ -90,7 +90,7 @@ Additional device-identity commands, including `add-children`,`list-children`, a
 
 ## Generate certificates
 
-A consistent chain of certificates must be installed across devices in the same gateway hierarchy to establish a secure communication between themselves. Every device in the hierarchy, whether an IoT Edge device or an IoT downstream device, needs a copy of the same root CA certificate. Each IoT Edge device in the hierarchy then uses that root CA certificate as the root for its device CA certificate.
+A consistent chain of certificates must be installed across devices in the same gateway hierarchy to establish a secure communication between themselves. Every device in the hierarchy, whether an IoT Edge device or an IoT downstream device, needs a copy of the same root CA certificate. Each IoT Edge device in the hierarchy then uses that root CA certificate as the root for its Edge CA certificate.
 
 With this setup, each downstream IoT Edge device can verify the identity of their parent by verifying that the *edgeHub* they connect to has a server certificate that is signed by the shared root CA certificate.
 
@@ -103,11 +103,11 @@ For more information about IoT Edge certificate requirements, see
 
     * A **root CA certificate**, which is the topmost shared certificate for all the devices in a given gateway hierarchy. This certificate is installed on all devices.
     * Any **intermediate certificates** that you want to include in the root certificate chain.
-    * A **device CA certificate** and its **private key**, generated by the root and intermediate certificates. You need one unique device CA certificate for each IoT Edge device in the gateway hierarchy.
+    * An **Edge CA certificate** and its **private key**, generated by the root and intermediate certificates. You need one unique Edge CA certificate for each IoT Edge device in the gateway hierarchy.
 
     You can use either a self-signed certificate authority or purchase one from a trusted commercial certificate authority like Baltimore, Verisign, Digicert, or GlobalSign.
 
-01. If you don't have your own certificates to use for test, create one set of root and intermediate certificates, then create IoT Edge device CA certificates for each device. In this article, we'll use test certificates generated using [test CA certificates for samples and tutorials](https://github.com/Azure/iotedge/tree/main/tools/CACertificates).
+01. If you don't have your own certificates to use for test, create one set of root and intermediate certificates, then create Edge CA certificates for each device. In this article, we'll use test certificates generated using [test CA certificates for samples and tutorials](https://github.com/Azure/iotedge/tree/main/tools/CACertificates).
 For example, the following commands create a root CA certificate, a parent device certificate, and a child device certificate.
 
     ```bash
@@ -138,11 +138,11 @@ For more information on installing certificates on a device, see [Manage certifi
 
 To configure your parent device, open a local or remote command shell.
 
-To enable secure connections, every IoT Edge parent device in a gateway scenario needs to be configured with a unique device CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
+To enable secure connections, every IoT Edge parent device in a gateway scenario needs to be configured with a unique Edge CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
 
 01. Check your certificates meet the [format requirements](how-to-manage-device-certificates.md#format-requirements).
 
-01. Transfer the **root CA certificate**, **parent device CA certificate**, and **parent private key** to the parent device. 
+01. Transfer the **root CA certificate**, **parent Edge CA certificate**, and **parent private key** to the parent device. 
 
 01. Copy the certificates and keys to the correct directories. The preferred directories for device certificates are `/var/aziot/certs` for the certificates and `/var/aziot/secrets` for keys.
 
@@ -393,11 +393,11 @@ To verify the *hostname*, you need to inspect the environment variables of the *
 
 To configure your downstream device, open a local or remote command shell.
 
-To enable secure connections, every IoT Edge downstream device in a gateway scenario needs to be configured with a unique device CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
+To enable secure connections, every IoT Edge downstream device in a gateway scenario needs to be configured with a unique Edge CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
 
 01. Check your certificates meet the [format requirements](how-to-manage-device-certificates.md#format-requirements).
 
-01. Transfer the **root CA certificate**, **child device CA certificate**, and **child private key** to the downstream device. 
+01. Transfer the **root CA certificate**, **child Edge CA certificate**, and **child private key** to the downstream device. 
 
 01. Copy the certificates and keys to the correct directories. The preferred directories for device certificates are `/var/aziot/certs` for the certificates and `/var/aziot/secrets` for keys.
 
diff --git a/articles/iot-edge/how-to-create-test-certificates.md b/articles/iot-edge/how-to-create-test-certificates.md
@@ -223,11 +223,11 @@ Device identity certificates go in the **Provisioning** section of the config fi
 
 ---
 
-## Create edge CA certificates
+## Create Edge CA certificates
 
-These certificates are required for **gateway scenarios** because the edge CA certificate is how the IoT Edge device verifies its identity to downstream devices. You can skip this section if you're not connecting any downstream devices to IoT Edge.
+These certificates are required for **gateway scenarios** because the Edge CA certificate is how the IoT Edge device verifies its identity to downstream devices. You can skip this section if you're not connecting any downstream devices to IoT Edge.
 
-The **edge CA** certificate is also responsible for creating certificates for modules running on the device, but IoT Edge runtime can create temporary certificates if edge CA isn't configured. Edge CA certificates go in the **Edge CA** section of the `config.toml` file on the IoT Edge device. To learn more, see [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md). 
+The **Edge CA** certificate is also responsible for creating certificates for modules running on the device, but IoT Edge runtime can create temporary certificates if Edge CA isn't configured. Edge CA certificates go in the **Edge CA** section of the `config.toml` file on the IoT Edge device. To learn more, see [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md). 
 
 # [Windows](#tab/windows)
 
diff --git a/articles/iot-edge/how-to-create-transparent-gateway.md b/articles/iot-edge/how-to-create-transparent-gateway.md
@@ -4,7 +4,7 @@ description: Use an Azure IoT Edge device as a transparent gateway that can proc
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 06/03/2024
+ms.date: 08/07/2024
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge
@@ -56,21 +56,21 @@ If you don't have a device ready, you should create one before continuing with t
 
 ---
 
-## Set up the device CA certificate
+## Set up the Edge CA certificate
 
-All IoT Edge gateways need a device CA certificate installed on them. The IoT Edge security daemon uses the IoT Edge device CA certificate to sign a workload CA certificate, which in turn signs a server certificate for IoT Edge hub. The gateway presents its server certificate to the downstream device during the initiation of the connection. The downstream device checks to make sure that the server certificate is part of a certificate chain that rolls up to the root CA certificate. This process allows the downstream device to confirm that the gateway comes from a trusted source. For more information, see [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md).
+All IoT Edge gateways need an Edge CA certificate installed on them. The IoT Edge security daemon uses the Edge CA certificate to sign a workload CA certificate, which in turn signs a server certificate for IoT Edge hub. The gateway presents its server certificate to the downstream device during the initiation of the connection. The downstream device checks to make sure that the server certificate is part of a certificate chain that rolls up to the root CA certificate. This process allows the downstream device to confirm that the gateway comes from a trusted source. For more information, see [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md).
 
 :::image type="content" source="./media/how-to-create-transparent-gateway/gateway-setup.png" alt-text="Screenshot that shows the gateway certificate setup." lightbox="./media/how-to-create-transparent-gateway/gateway-setup.png":::
 
-The root CA certificate and the device CA certificate (with its private key) need to be present on the IoT Edge gateway device and configured in the IoT Edge config file. Remember that in this case *root CA certificate* means the topmost certificate authority for this IoT Edge scenario. The gateway device CA certificate and the downstream device certificates need to roll up to the same root CA certificate.
+The root CA certificate and the Edge CA certificate (with its private key) need to be present on the IoT Edge gateway device and configured in the IoT Edge config file. Remember that in this case *root CA certificate* means the topmost certificate authority for this IoT Edge scenario. The gateway Edge CA certificate and the downstream device certificates need to roll up to the same root CA certificate.
 
 >[!TIP]
->The process of installing the root CA certificate and device CA certificate on an IoT Edge device is also explained in more detail in [Manage certificates on an IoT Edge device](how-to-manage-device-certificates.md).
+>The process of installing the root CA certificate and Edge CA certificate on an IoT Edge device is also explained in more detail in [Manage certificates on an IoT Edge device](how-to-manage-device-certificates.md).
 
 Have the following files ready:
 
 * Root CA certificate
-* Device CA certificate
+* Edge CA certificate
 * Device CA private key
 
 For production scenarios, you should generate these files with your own certificate authority. For development and test scenarios, you can use demo certificates.
@@ -81,7 +81,7 @@ If you don't have your own certificate authority and want to use demo certificat
 
 1. To start, set up the scripts for generating certificates on your device.
 1. Create a root CA certificate. At the end of those instructions, you'll have a root CA certificate file `<path>/certs/azure-iot-test-only.root.ca.cert.pem`.
-1. Create IoT Edge device CA certificates. At the end of those instructions, you'll have a device CA certificate `<path>/certs/iot-edge-device-ca-<cert name>-full-chain.cert.pem` its private key `<path>/private/iot-edge-device-ca-<cert name>.key.pem`.
+1. Create Edge CA certificates. At the end of those instructions, you'll have an Edge CA certificate `<path>/certs/iot-edge-device-ca-<cert name>-full-chain.cert.pem` its private key `<path>/private/iot-edge-device-ca-<cert name>.key.pem`.
 
 ### Copy certificates to device
 
@@ -127,7 +127,7 @@ For more information on the following commands, see [PowerShell functions for Io
 1. Copy the certificates to the EFLOW virtual machine to a directory where you have write access. For example, the `/home/iotedge-user` home directory.
 
    ```powershell
-   # Copy the IoT Edge device CA certificate and key
+   # Copy the Edge CA certificate and key
    Copy-EflowVMFile -fromFile <path>\certs\iot-edge-device-ca-<cert name>-full-chain.cert.pem -toFile ~/iot-edge-device-ca-<cert name>-full-chain.cert.pem -pushFile
    Copy-EflowVMFile -fromFile <path>\private\iot-edge-device-ca-<cert name>.key.pem -toFile ~/iot-edge-device-ca-<cert name>.key.pem -pushFile
 
@@ -158,7 +158,7 @@ For more information on the following commands, see [PowerShell functions for Io
 1. Move the certificates and keys to the preferred `/var/aziot` directory.
 
    ```bash
-   # Move the IoT Edge device CA certificate and key to preferred location
+   # Move the Edge CA certificate and key to preferred location
    sudo mv ~/azure-iot-test-only.root.ca.cert.pem /var/aziot/certs
    sudo mv ~/iot-edge-device-ca-<cert name>-full-chain.cert.pem /var/aziot/certs
    sudo mv ~/iot-edge-device-ca-<cert name>.key.pem /var/aziot/secrets
@@ -198,7 +198,7 @@ For more information on the following commands, see [PowerShell functions for Io
 1. Find the `trust_bundle_cert` parameter. Uncomment this line and provide the file URI to the root CA certificate file on your device.
 
 1. Find the `[edge_ca]` section of the file. Uncomment the three lines in this section and provide the file URIs to your certificate and key files as values for the following properties:
-   * **cert**: device CA certificate
+   * **cert**: Edge CA certificate
    * **pk**: device CA private key
 
 1. Save and close the file.
diff --git a/articles/iot-edge/iot-edge-certs.md b/articles/iot-edge/iot-edge-certs.md
@@ -2,10 +2,10 @@
 title: Understand how IoT Edge uses certificates for security
 titleSuffix: Azure IoT Edge
 description: How Azure IoT Edge uses certificate to validate devices, modules, and downstream devices enabling secure connections between them. 
-author: jlian
+author: PatAltimore
 
-ms.author: jlian
-ms.date: 07/05/2023
+ms.author: patricka
+ms.date: 08/07/2024
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge
@@ -386,7 +386,7 @@ In a typical manufacturing process for creating secure devices, root CA certific
 * Multiple companies involved serially in the production of a device
 * A customer buying a root CA and deriving a signing certificate for the manufacturer to sign the devices they make on that customer's behalf
 
-In any case, the manufacturer uses an intermediate CA certificate at the end of this chain to sign the edge CA certificate placed on the end device. These intermediate certificates are closely guarded at the manufacturing plant. They undergo strict processes, both physical and electronic for their usage.
+In any case, the manufacturer uses an intermediate CA certificate at the end of this chain to sign the Edge CA certificate placed on the end device. These intermediate certificates are closely guarded at the manufacturing plant. They undergo strict processes, both physical and electronic for their usage.
 
 ## Next steps
 
diff --git a/articles/iot-edge/iot-edge-limits-and-restrictions.md b/articles/iot-edge/iot-edge-limits-and-restrictions.md
@@ -60,7 +60,7 @@ IoT Hub has the following restrictions for IoT Edge automatic deployments:
 IoT Edge certificates have the following restrictions:
 
 * The common name (CN) can't be the same as the *hostname* that is used in the configuration file on the IoT Edge device.
-* The name used by clients to connect to IoT Edge can't be the same as the common name used in the edge CA certificate.
+* The name used by clients to connect to IoT Edge can't be the same as the common name used in the Edge CA certificate.
 
 For more information, see [Certificates for device security](iot-edge-certs.md).
 
diff --git a/articles/iot-edge/production-checklist.md b/articles/iot-edge/production-checklist.md
@@ -4,7 +4,7 @@ description: Ready your Azure IoT Edge solution for production. Learn how to set
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 06/13/2024
+ms.date: 08/07/2024
 ms.topic: concept-article
 ms.service: iot-edge
 services: iot-edge
@@ -33,9 +33,9 @@ IoT Edge devices can be anything from a Raspberry Pi to a laptop to a virtual ma
 
 ### Install production certificates
 
-Every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it. That CA certificate is then declared to the IoT Edge runtime in the config file. For development and testing scenarios, the IoT Edge runtime creates temporary certificates if no certificates are declared in the config file. However, these temporary certificates expire after three months and aren't secure for production scenarios. For production scenarios, you should provide your own device CA certificate, either from a self-signed certificate authority or purchased from a commercial certificate authority.
+Every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it. That CA certificate is then declared to the IoT Edge runtime in the config file. For development and testing scenarios, the IoT Edge runtime creates temporary certificates if no certificates are declared in the config file. However, these temporary certificates expire after three months and aren't secure for production scenarios. For production scenarios, you should provide your own Edge CA certificate, either from a self-signed certificate authority or purchased from a commercial certificate authority.
 
-To understand the role of the device CA certificate, see [How Azure IoT Edge uses certificates](iot-edge-certs.md).
+To understand the role of the Edge CA certificate, see [How Azure IoT Edge uses certificates](iot-edge-certs.md).
 
 For more information about how to install certificates on an IoT Edge device and reference them from the config file, see [Manage certificate on an IoT Edge device](how-to-manage-device-certificates.md).
 
