adding external comms

asergaz · dominicbetts · commit d3f7db8d2800 · 2025-05-28T14:55:31.000+01:00
diff --git a/articles/iot-operations/secure-iot-ops/howto-manage-certificates.md b/articles/iot-operations/secure-iot-ops/howto-manage-certificates.md
@@ -1,24 +1,30 @@
 ---
-title: Certificate management for Azure IoT Operations internal communication
-description: Azure IoT Operations uses TLS to encrypt communication. Learn about the default setup and also how to bring your own CA for production.
-author: PatAltimore
-ms.author: patricka
-ms.subservice: azure-mqtt-broker
-ms.topic: concept-article
-ms.date: 10/25/2024
+title: Manage certificates
+# description: TODO: Azure IoT Operations uses TLS to encrypt communication. Learn about the default setup and also how to bring your own CA for production.
+author: asergaz
+ms.author: sergaz
+ms.topic: how-to
+ms.date: 05/20/2025
 
 #CustomerIntent: As an operator, I want to configure Azure IoT Operations components to use TLS so that I have secure communication between all components.
-ms.service: azure-iot-operations
 ---
 
-# Certificate management for Azure IoT Operations internal communication
+# Manage certificates for your Azure IoT Operations deployment
 
-All communication within Azure IoT Operations is encrypted using TLS. To help you get started, Azure IoT Operations is deployed with a default root CA and issuer for TLS server certificates. You can use the default setup for development and testing purposes. For a production deployment, we recommend using your own CA issuer and an enterprise PKI solution.
+Azure IoT Operations uses TLS to encrypt communication between all components. This article describes how to manage certificates for internal and external communications, and how to bring your own certificate authority (CA) issuer for a production deployment.
 
 > [!TIP]
 > If you're looking for information about how to manage certificates for the connector for OPC UA, see [OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/overview-opcua-broker-certificates-management.md).
 
-## Default self-signed issuer and root CA certificate for TLS server certificates
+## Prerequisites
+
+- To manage certificates for external communications, you need an Azure IoT Operations instance deployed with secure settings. If you deployed Azure IoT Operations with test settings, you need to first [enable secure settings](../deploy-iot-ops/howto-enable-secure-settings.md).
+
+## Manage certificates for internal communications
+
+All communication within Azure IoT Operations is encrypted using TLS. To help you get started, Azure IoT Operations is deployed with a default root CA and issuer for TLS server certificates. You can use the default setup for development and testing purposes. For a production deployment, we recommend using your own CA issuer and an enterprise PKI solution.
+
+### Default self-signed issuer and root CA certificate for TLS server certificates
 
 To help you get started, Azure IoT Operations is deployed with a default self-signed issuer and root CA certificate for TLS server certificates. You can use this issuer for development and testing. Azure IoT Operations uses [cert-manager](https://cert-manager.io/docs/) to manage TLS certificates, and [trust-manager](https://cert-manager.io/docs/trust/) to distribute trust bundles to components. 
 
@@ -87,11 +93,11 @@ To help you get started, Azure IoT Operations is deployed with a default self-si
         status: "True" 
         type: Ready 
     ```
-## Bring your own issuer
+### Bring your own issuer
 
 For production deployments, we recommend that you set up Azure IoT Operations with an enterprise PKI to manage certificates and that you bring your own issuer which works with your enterprise PKI instead of using the default self-signed issuer to issue TLS certificates for internal communication.
 
-To set up Azure IoT Operations with your own issuer, use the following steps before deploying an instance to your cluster:
+To set up Azure IoT Operations with your own issuer, use the following steps **before deploying an instance to your cluster**:
 
 1. Follow the steps in [Prepare your cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up your cluster.
   
@@ -128,6 +134,7 @@ To set up Azure IoT Operations with your own issuer, use the following steps bef
       ```
 
 1. Follow steps in [Deploy Azure IoT Operations](../deploy-iot-ops/howto-deploy-iot-operations.md) to deploy, *with a few changes*.
+
    1. Add the `--user-trust` parameter while preparing cluster. For example:
 
       ```bash
@@ -139,3 +146,38 @@ To set up Azure IoT Operations with your own issuer, use the following steps bef
       ```bash
       az iot ops create --subscription <SUBSCRIPTION_ID> -g <RESOURCE_GROUP> --cluster <CLUSTER_NAME> --custom-location <CUSTOM_LOCATION> -n <INSTANCE_NAME> --sr-resource-id <SCHEMAREGISTRY_RESOURCE_ID> --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>
       ```
+
+## Manage certificates for external communications
+
+The certificate management experience for external communications uses Azure Key vault as the managed vault solution on the cloud. Certificates are added to Azure Key Vault as secrets and synchronized to the edge as Kubernetes secrets via [Azure Key Vault Secret Store extension](/azure/azure-arc/kubernetes/secret-store-extension).
+
+The OPC UA client application authentication, leverages the current certificate management experience for external communications. When you [deploy Azure IoT Operations with secure settings](../deploy-iot-ops/overview-deploy.md#secure-settings-deployment), you can start adding certificates to Azure Key Vault, and sync them to the edge to be used in the *Trust list* and *Issuer list* stores for OPC UA connections:
+
+TODO: <Screenshot of upload/add from AKV page>
+
+- **Upload Certificate**: Uploads a certificate which is then added as a secret to Azure Key Vault and automatically synchronized to the edge using Secret Store Extension. 
+
+    > [!TIP]
+    > View the certificate once uploaded to ensure you have uploaded the correct certificate before adding to Azure Key Vault and synchronizing to edge.
+
+    > [!TIP]
+    > Use an intuitive name so that you can recognize which secret represents your secret in the future.
+    
+    > [!NOTE]
+    > Simply uploading the certificate will not add the secret to Azure Kery Vault and synchronize to edge, you must click **Apply** to the changes to be applied.  
+     
+
+- **Add from Azure Key Vault**: Add an existing secret from the Azure Key vault to be synchronized to the edge.
+
+    > [!NOTE]
+    > Make sure to select the secret which holds the certificate you would like to synchronize to the edge. Selecting a secret which is not the correct certificate will cause the connection to fail. 
+
+Unlike in [Manage secrets for your Azure IoT Operations deployment](howto-manage-secrets.md) where you directly manage the synchronized secret used for authentication, Azure IoT Operations manages the synchronized secrets which represents the certificates on behalf of you. 
+
+Using the list view you can manage the synchronized certificates. You can view all the synchronized certificates, and which certificate store it is synchronized to:
+
+TODO: <Screenshot of  list view>
+
+- To learn more about the *Trust list* and *Issuer list* stores, see [Configure OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md).
+
+You can delete synced certificates as well. When you delete a synced certificate, it only deletes the synced certificate from the edge, and doesn't delete the contained secret reference from Azure Key Vault. You must delete the certificate secret manually from the key vault. 
