update key requirements in container-registry-tutorial-sign-trusted-ca.md

Author: susanshi

articles/container-registry/container-registry-tutorial-sign-trusted-ca.md

@@ -136,6 +136,7 @@ Here are the requirements for certificates issued by a CA:
   - Extended Key Usages (EKUs) must be empty or `1.3.6.1.5.5.7.3.3` (for Codesigning).
 - Key properties:
   - The `exportable` property must be set to `false`.
+  - The `contentType` should be set to `application/x-pem-file` for better integration with [Image Integrity Policy](https://learn.microsoft.com/en-us/azure/aks/image-integrity?tabs=azure-cli) 
   - Select a supported key type and size from the [Notary Project specification](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signature-specification.md#algorithm-selection).
 
 > [!NOTE]
@@ -323,4 +324,4 @@ To import the certificate:
 
 See [Use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters (Preview)](/azure/aks/image-integrity?tabs=azure-cli) and [Ratify on Azure](https://ratify.dev/docs/1.0/quickstarts/ratify-on-azure/) to get started into verifying and auditing signed images before deploying them on AKS.
 
-[terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
+[terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/