MicrosoftDocs
diff --git a/‎articles/iot-operations/secure-iot-ops/howto-manage-certificates.md
Lines changed: 41 additions & 43 deletions b/‎articles/iot-operations/secure-iot-ops/howto-manage-certificates.md
Lines changed: 41 additions & 43 deletions
diff --git a/‎articles/iot-operations/secure-iot-ops/media/howto-manage-certificates/list-certificates.png
-36.4 KB b/‎articles/iot-operations/secure-iot-ops/media/howto-manage-certificates/list-certificates.png
-36.4 KB
@@ -11,18 +11,15 @@ ms.date: 05/20/2025
 
 # Manage certificates for your Azure IoT Operations deployment
 
-Azure IoT Operations uses TLS to encrypt communication between all components. This article describes how to manage certificates for internal and external communications, and how to bring your own certificate authority (CA) issuer for a production deployment.
-
-> [!TIP]
-> If you're looking for information about how the connector for OPC UA uses certificates to establish mutual trust with an OPC UA server, see [OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/overview-opcua-broker-certificates-management.md).
+Azure IoT Operations uses TLS to encrypt communication between all components. This article describes how to manage certificates for internal and external communications, and how to bring your own certificate authority (CA) issuer for internal communications in a production deployment.
 
 ## Prerequisites
 
 - To manage certificates for external communications, you need an Azure IoT Operations instance deployed with secure settings. If you deployed Azure IoT Operations with test settings, you need to first [enable secure settings](../deploy-iot-ops/howto-enable-secure-settings.md).
 
 ## Manage certificates for internal communications
 
-All communication within Azure IoT Operations is encrypted using TLS. To help you get started, Azure IoT Operations is deployed with a default root CA and issuer for TLS server certificates. You can use the default setup for development and testing purposes. For a production deployment, we recommend [using your own CA issuer](#bring-your-own-issuer) and an enterprise PKI solution.
+All communications within Azure IoT Operations are encrypted using TLS. To help you get started, Azure IoT Operations is deployed with a default root CA and issuer for TLS server certificates. You can use the default setup for development and testing purposes. For a production deployment, we recommend [using your own CA issuer](#bring-your-own-issuer) and an enterprise PKI solution.
 
 ### Default self-signed issuer and root CA certificate for TLS server certificates
 
@@ -94,45 +91,11 @@ To help you get started, Azure IoT Operations is deployed with a default self-si
         type: Ready 
     ```
 
-## Manage certificates for external communications
-
-The certificate management experience for external communications uses Azure Key vault as the managed vault solution on the cloud. Certificates are added to the key vault as secrets and synchronized to the edge as Kubernetes secrets via [Azure Key Vault Secret Store extension](/azure/azure-arc/kubernetes/secret-store-extension).
-
-For example, the connector for OPC UA uses the certificate management experience to configure OPC UA client application authentication to an external OPC UA server. All trusted certificates are consolidated into a single secret sync resource at the edge. Azure IoT Operations manages two distinct certificate stores for OPC UA connector: one for the *Trust list* and one for the *Issuer list*. The mapping between the certificate stores and the secret sync resource at the edge is managed by Azure IoT Operations to ensure secure and consistent certificate handling. To learn more about OPC UA application authentication, see [OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/overview-opcua-broker-certificates-management.md).
-
-When you [deploy Azure IoT Operations with secure settings](../deploy-iot-ops/overview-deploy.md#secure-settings-deployment), you can start adding certificates to Azure Key Vault, and sync them to the edge to be used in the *Trust list* and *Issuer list* stores for OPC UA connections:
-
-:::image type="content" source="media/howto-manage-certificates/add-new-certificate.png" alt-text="Screenshot that shows the Upload certificate and Add from Azure Key Vault options when adding a new certificate to the asset endpoints page.":::
-
-- **Upload Certificate**: Uploads a certificate which is then added as a secret to Azure Key Vault and automatically synchronized to the edge using Secret Store extension. 
-
-    > [!TIP]
-    > - View the certificate details once uploaded, to ensure you have the correct certificate before adding to Azure Key Vault and synchronizing to edge.
-    > - Use an intuitive name so that you can recognize which secret represents your secret in the future.
-    
-    > [!NOTE]
-    > Simply uploading the certificate won't add the secret to Azure Key Vault and synchronize to edge, you must select **Apply** for the changes to be applied.
-     
-
-- **Add from Azure Key Vault**: Add an existing secret from the Azure Key vault to be synchronized to the edge.
-
-    > [!NOTE]
-    > Make sure to select the secret that holds the certificate you would like to synchronize to the edge. Selecting a secret which isn't the correct certificate causes the connection to fail.
+### Bring your own issuer
 
+For production deployments, we recommend that you set up Azure IoT Operations with an enterprise PKI to manage certificates, and that you bring your own CA issuer which works with your enterprise PKI, instead of using the default self-signed issuer to issue TLS certificates for internal communications.
 
-Using the list view you can manage the synchronized certificates. You can view all the synchronized certificates, and which certificate store it's synchronized to:
-
-:::image type="content" source="media/howto-manage-certificates/list-certificates.png" alt-text="Screenshot that shows the list of certificates in the asset endpoints page and how to filter by Trust List and Issuer List.":::
-
-- To learn more about the *Trust list* and *Issuer list* stores, see [Configure OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md).
-
-You can delete synced certificates as well. When you delete a synced certificate, it only deletes the synced certificate from the edge, and doesn't delete the contained secret reference from Azure Key Vault. You must delete the certificate secret manually from the key vault. 
-
-## Bring your own issuer
-
-For production deployments, we recommend that you set up Azure IoT Operations with an enterprise PKI to manage certificates and that you bring your own CA issuer which works with your enterprise PKI instead of using the default self-signed issuer to issue TLS certificates. You can use your own issuer for both internal communications, as explained in the below section, and external communications like explained in the [OPC UA server application instance certificates signed by a certificate authority](../discover-manage-assets/overview-opcua-broker-certificates-management.md#use-opc-ua-server-application-instance-certificates-signed-by-a-certificate-authority) scenario.
-
-To set up Azure IoT Operations with your own issuer for internal communication, use the following steps **before deploying an instance to your cluster**:
+To set up Azure IoT Operations with your own issuer for internal communications, use the following steps **before deploying an instance to your cluster**:
 
 1. Follow the steps in [Prepare your cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up your cluster.
 
@@ -180,4 +143,39 @@ To set up Azure IoT Operations with your own issuer for internal communication,
 
       ```bash
       az iot ops create --subscription <SUBSCRIPTION_ID> -g <RESOURCE_GROUP> --cluster <CLUSTER_NAME> --custom-location <CUSTOM_LOCATION> -n <INSTANCE_NAME> --sr-resource-id <SCHEMAREGISTRY_RESOURCE_ID> --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>
-      ```
+      ```
+
+## Manage certificates for external communications
+
+The certificate management experience for external communications uses Azure Key vault as the managed vault solution on the cloud. Certificates are added to the key vault as secrets and synchronized to the edge as Kubernetes secrets via [Azure Key Vault Secret Store extension](/azure/azure-arc/kubernetes/secret-store-extension).
+
+For example, the connector for OPC UA uses the certificate management experience to configure OPC UA client application authentication to an external OPC UA server. Azure IoT Operations manages two distinct certificate stores for the connector for OPC UA: one for the *Trust list* and one for the *Issuer list*. To learn more about how the connector for OPC UA uses certificates to establish mutual trust with an OPC UA server, see [OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/overview-opcua-broker-certificates-management.md).
+
+
+When you [deploy Azure IoT Operations with secure settings](../deploy-iot-ops/overview-deploy.md#secure-settings-deployment), you can start adding certificates to Azure Key Vault, and sync them to the edge to be used in the *Trust list* and *Issuer list* stores for OPC UA connections:
+
+:::image type="content" source="media/howto-manage-certificates/add-new-certificate.png" alt-text="Screenshot that shows the Upload certificate and Add from Azure Key Vault options when adding a new certificate to the asset endpoints page.":::
+
+- **Upload Certificate**: Uploads a certificate which is then added as a secret to Azure Key Vault and automatically synchronized to the edge using Secret Store extension. 
+
+    > [!TIP]
+    > - View the certificate details once uploaded, to ensure you have the correct certificate before adding to Azure Key Vault and synchronizing to edge.
+    > - Use an intuitive name so that you can recognize which secret represents your secret in the future.
+    
+    > [!NOTE]
+    > Simply uploading the certificate won't add the secret to Azure Key Vault and synchronize to edge, you must select **Apply** for the changes to be applied.
+     
+
+- **Add from Azure Key Vault**: Add an existing secret from the Azure Key vault to be synchronized to the edge.
+
+    > [!NOTE]
+    > Make sure to select the secret that holds the certificate you would like to synchronize to the edge. Selecting a secret which isn't the correct certificate causes the connection to fail.
+
+
+Using the list view you can manage the synchronized certificates. You can view all the synchronized certificates, and which certificate store it's synchronized to:
+
+:::image type="content" source="media/howto-manage-certificates/list-certificates.png" alt-text="Screenshot that shows the list of certificates in the asset endpoints page and how to filter by Trust List and Issuer List.":::
+
+- To learn more about the *Trust list* and *Issuer list* stores, see [Configure OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md).
+
+You can delete synced certificates as well. When you delete a synced certificate, it only deletes the synced certificate from the edge, and doesn't delete the contained secret reference from Azure Key Vault. You must delete the certificate secret manually from the key vault.