Update virtual-network-reference.md

Updating connectivity requirements for TLS chain building. APIM's default certificates are issued by DigiCert, and these endpoints need to be accessible. If they're not accessible, intermediate certs may not get installed correctly.  Removed the text that makes it sound like these are optional.  The APIM default certs are not in customer control, so  these endpoints must be accessible from VNET.

Author: tehnoonr

articles/api-management/virtual-network-reference.md

@@ -87,7 +87,7 @@ NSG rules allowing outbound connectivity to Storage, SQL, and Azure Event Hubs s
 
 ## TLS functionality  
 
-To enable TLS/SSL certificate chain building and validation, the API Management service needs outbound network connectivity on ports `80` and `443` to `ocsp.msocsp.com`, `oneocsp.msocsp.com`, `mscrl.microsoft.com`, `crl.microsoft.com`, and `csp.digicert.com`. This dependency is not required if any certificate you upload to API Management contains the full chain to the CA root.
+To enable TLS/SSL certificate chain building and validation, the API Management service needs outbound network connectivity on ports `80` and `443` to `ocsp.msocsp.com`, `oneocsp.msocsp.com`, `mscrl.microsoft.com`, `crl.microsoft.com`, `cacerts.digicert.com`, `crl3.digicert.com` and `csp.digicert.com`. 
 
 
 ## DNS access