mohsina suggestions

Author: asergaz

articles/iot-operations/secure-iot-ops/howto-manage-certificates.md

@@ -98,34 +98,30 @@ To help you get started, Azure IoT Operations is deployed with a default self-si
 
 The certificate management experience for external communications uses Azure Key vault as the managed vault solution on the cloud. Certificates are added to the key vault as secrets and synchronized to the edge as Kubernetes secrets via [Azure Key Vault Secret Store extension](/azure/azure-arc/kubernetes/secret-store-extension).
 
-For example, the connector for OPC UA uses the certificate management experience to configure OPC UA client application authentication to an external OPC UA server. When you [deploy Azure IoT Operations with secure settings](../deploy-iot-ops/overview-deploy.md#secure-settings-deployment), you can start adding certificates to Azure Key Vault, and sync them to the edge to be used in the *Trust list* and *Issuer list* stores for OPC UA connections:
+For example, the connector for OPC UA uses the certificate management experience to configure OPC UA client application authentication to an external OPC UA server. All trusted certificates are consolidated into a single secret sync resource at the edge. Azure IoT Operations manages two distinct certificate stores for OPC UA connector: one for the *Trust list* and one for the *Issuer list*. The mapping between the certificate stores and the secret sync resource at the edge is managed by Azure IoT Operations to ensure secure and consistent certificate handling. To learn more about OPC UA application authentication, see [OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/overview-opcua-broker-certificates-management.md).
+
+When you [deploy Azure IoT Operations with secure settings](../deploy-iot-ops/overview-deploy.md#secure-settings-deployment), you can start adding certificates to Azure Key Vault, and sync them to the edge to be used in the *Trust list* and *Issuer list* stores for OPC UA connections:
 
-<!-- **************TODO: Screenshot of upload/add from AKV page - I want it to be coming from AKV instead**************** -->
 :::image type="content" source="media/howto-manage-certificates/add-new-certificate.png" alt-text="Screenshot that shows the Upload certificate and Add from Azure Key Vault options when adding a new certificate to the asset endpoints page.":::
 
 - **Upload Certificate**: Uploads a certificate which is then added as a secret to Azure Key Vault and automatically synchronized to the edge using Secret Store extension. 
 
     > [!TIP]
-    > View the certificate once uploaded to ensure you have uploaded the correct certificate before adding to Azure Key Vault and synchronizing to edge.
-
-    > [!TIP]
-    > Use an intuitive name so that you can recognize which secret represents your secret in the future.
+    > - View the certificate details once uploaded, to ensure you have the correct certificate before adding to Azure Key Vault and synchronizing to edge.
+    > - Use an intuitive name so that you can recognize which secret represents your secret in the future.
 
     > [!NOTE]
-    > Simply uploading the certificate will not add the secret to Azure Kery Vault and synchronize to edge, you must click **Apply** to the changes to be applied.  
+    > Simply uploading the certificate won't add the secret to Azure Key Vault and synchronize to edge, you must select **Apply** for the changes to be applied.
      
 
 - **Add from Azure Key Vault**: Add an existing secret from the Azure Key vault to be synchronized to the edge.
 
     > [!NOTE]
-    > Make sure to select the secret which holds the certificate you would like to synchronize to the edge. Selecting a secret which is not the correct certificate will cause the connection to fail. 
+    > Make sure to select the secret that holds the certificate you would like to synchronize to the edge. Selecting a secret which isn't the correct certificate causes the connection to fail.
 
-<!-- TODO: Can we add more clarity here? -->
-Unlike in [Manage secrets for your Azure IoT Operations deployment](howto-manage-secrets.md) where you directly manage the synchronized secret used for authentication, Azure IoT Operations manages the synchronized secrets which represents the certificates on behalf of you. 
 
-Using the list view you can manage the synchronized certificates. You can view all the synchronized certificates, and which certificate store it is synchronized to:
+Using the list view you can manage the synchronized certificates. You can view all the synchronized certificates, and which certificate store it's synchronized to:
 
-<!-- ***********TODO: Screenshot of  list view with some certificates there************* -->
 :::image type="content" source="media/howto-manage-certificates/list-certificates.png" alt-text="Screenshot that shows the list of certificates in the asset endpoints page and how to filter by Trust List and Issuer List.":::
 
 - To learn more about the *Trust list* and *Issuer list* stores, see [Configure OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md).

articles/iot-operations/secure-iot-ops/howto-manage-secrets.md

@@ -43,7 +43,7 @@ Secrets are used in asset endpoints and data flow endpoints for authentication.
 
     - **Add from Azure Key Vault**: synchronizes an existing secret in key vault down to the edge if it wasn't synchronized before. Selecting this option shows you the list of secret references in the selected key vault. Use this option if you created the secret in the key vault beforehand. *Only the latest version of the secret is synced to the edge*.
 
-1. When you add the username and password references to the asset endpoints or data flow endpoints, you then need to give the synchronized secret a name. The secret references will be saved in the edge with this given name as one resource. In the example from the screenshot below, the username and password references are saved to the edge as *edp1secrets*.
+1. When you add the username and password references to the asset endpoints or data flow endpoints, you then need to give the synchronized secret a name. The secret references are saved in the edge with this given name as one secret sync resource. In the example from the screenshot below, the username and password references are saved to the edge as *edp1secrets*.
 
     :::image type="content" source="media/howto-manage-secrets/synced-secret-name.png" alt-text="Screenshot that shows the synced secret name field when username password is selected for authentication mode in operations experience.":::
 
@@ -57,7 +57,7 @@ In this section, we use asset endpoints as an example, the same can be applied t
 
     :::image type="content" source="media/howto-manage-secrets/synced-secret-list.png" alt-text="Screenshot that shows the synced secrets list in the operations experience secrets page.":::
 
-You can use the **Secrets** page to view synchronized secrets in your asset endpoints and data flow endpoints. Secrets page shows the list of all current synchronized secrets at the edge for the resource you are viewing. A synced secret represents one or multiple secret references, depending on the resource using it. Any operation applied to a synced secret will be applied to all secret references contained within the synced secret. 
+You can use the **Secrets** page to view synchronized secrets in your asset endpoints and data flow endpoints. Secrets page shows the list of all current synchronized secrets at the edge for the resource you're viewing. A synced secret represents one or multiple secret references, depending on the resource using it. Any operation applied to a synced secret will be applied to all secret references contained within the synced secret. 
 
 You can delete synced secrets as well in the **Secrets** page. When you delete a synced secret, it only deletes the synced secret from the edge, and doesn't delete the contained secret reference from Azure Key Vault. You must delete the certificate secret manually from the key vault.