Merge pull request #262963 from susanshi/susanshi-pemCA

update key requirements in container-registry-tutorial-sign-trusted-c…

Author: prmerger-automator[bot]

articles/container-registry/container-registry-tutorial-sign-trusted-ca.md

@@ -138,6 +138,9 @@ Here are the requirements for certificates issued by a CA:
   - The `exportable` property must be set to `false`.
   - Select a supported key type and size from the [Notary Project specification](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signature-specification.md#algorithm-selection).
 
+> [!IMPORTANT]
+> To ensure successful integration with [Image Integrity](/azure/aks/image-integrity), the content type of certificate should be set to PEM.
+
 > [!NOTE]
 > This guide uses version 1.0.1 of the AKV plugin. Prior versions of the plugin had a limitation that required a specific certificate order in a certificate chain. Version 1.0.1 of the plugin does not have this limitation so it is recommended that you use version 1.0.1 or later.
 
@@ -323,4 +326,4 @@ To import the certificate:
 
 See [Use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters (Preview)](/azure/aks/image-integrity?tabs=azure-cli) and [Ratify on Azure](https://ratify.dev/docs/1.0/quickstarts/ratify-on-azure/) to get started into verifying and auditing signed images before deploying them on AKS.
 
-[terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
+[terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/