Update stale Baltimore CyberTrust Root references to DigiCert Global Root G2

jlian · jlian · commit 6b8061d5c251 · 2026-02-19T00:22:20.000-08:00
IoT Hub completed its TLS root CA migration from Baltimore CyberTrust Root
to DigiCert Global Root G2 in 2023. Update all references in the IoT Edge
certificates page to reflect the current root CA.

Also updates the intermediate CA name from 'Microsoft IT TLS CA 1' to
'Microsoft Azure RSA TLS Issuing CA 08' and removes outdated commercial CA
names (Baltimore, Verisign) from the root CA certificate section.
diff --git a/articles/iot-edge/iot-edge-certs.md b/articles/iot-edge/iot-edge-certs.md
@@ -84,25 +84,25 @@ In our scenario, *ContosoIotHub* shows the following certificate chain:
 
 <!-- mermaid
 flowchart TB
-    id3["📃 CN = Baltimore CyberTrust Root (Root CA)"]
-    id2["📃 CN = Microsoft IT TLS CA 1 (Intermediate CA)"]
+    id3["📃 CN = DigiCert Global Root G2 (Root CA)"]
+    id2["📃 CN = Microsoft Azure RSA TLS Issuing CA 08 (Intermediate CA)"]
     id1["📃 CN = *.azure-devices.net"] 
     
     id2-- Issued by -- -> id3
     id1-- Issued by -- -> id2
 -->
 
-The root certificate authority (CA) is the [Baltimore CyberTrust Root](https://www.digicert.com/kb/digicert-root-certificates.htm) certificate. DigiCert signs this root certificate, and it's widely trusted and stored in many operating systems. For example, both Ubuntu and Windows include it in the default certificate store.
+The root certificate authority (CA) is the [DigiCert Global Root G2](https://www.digicert.com/kb/digicert-root-certificates.htm) certificate. DigiCert signs this root certificate, and it's widely trusted and stored in many operating systems. For example, both Ubuntu and Windows include it in the default certificate store.
 
 Windows certificate store:
 
-:::image type="content" source="./media/iot-edge-certs/baltimore-windows.png" alt-text="Screenshot showing Baltimore CyberTrust Root certificate listed in the Windows certificate store." lightbox="./media/iot-edge-certs/baltimore-windows.png":::
+:::image type="content" source="./media/iot-edge-certs/baltimore-windows.png" alt-text="Screenshot showing DigiCert Global Root G2 certificate listed in the Windows certificate store." lightbox="./media/iot-edge-certs/baltimore-windows.png":::
 
 Ubuntu certificate store:
 
-:::image type="content" source="./media/iot-edge-certs/ubuntu-baltimore.png" alt-text="Screenshot showing Baltimore CyberTrust Root certificate listed in the Ubuntu certificate store." lightbox="./media/iot-edge-certs/ubuntu-baltimore.png":::
+:::image type="content" source="./media/iot-edge-certs/ubuntu-baltimore.png" alt-text="Screenshot showing DigiCert Global Root G2 certificate listed in the Ubuntu certificate store." lightbox="./media/iot-edge-certs/ubuntu-baltimore.png":::
 
-When a device checks for the *Baltimore CyberTrust Root* certificate, it's already in the OS. From the *EdgeGateway* perspective, since the certificate chain from *ContosoIotHub* is signed by a root CA the OS trusts, the certificate is trustworthy. This certificate is called the **IoT Hub server certificate**. For more about the IoT Hub server certificate, see [Transport Layer Security (TLS) support in IoT Hub](../iot-hub/iot-hub-tls-support.md).
+When a device checks for the *DigiCert Global Root G2* certificate, it's already in the OS. From the *EdgeGateway* perspective, since the certificate chain from *ContosoIotHub* is signed by a root CA the OS trusts, the certificate is trustworthy. This certificate is called the **IoT Hub server certificate**. For more about the IoT Hub server certificate, see [Transport Layer Security (TLS) support in IoT Hub](../iot-hub/iot-hub-tls-support.md).
 
 In summary, *EdgeGateway* can verify and trust *ContosoIotHub's* identity because:
 
@@ -248,7 +248,7 @@ To solve the issue, IoT Edge uses the configured hostname value in `config.toml`
 
 #### Why does IoT Edge create certificates?
 
-In the example, notice there's an *iotedged workload ca edgegateway* in the certificate chain. It's the certificate authority (CA) that exists on the IoT Edge device known as *Edge CA* (formerly known as *Device CA* in version 1.1). Like the *Baltimore CyberTrust root CA* in the earlier example, the *Edge CA* can issue other certificates. Most importantly, and also in this example, it issues the server certificate to *edgeHub* module. But, it can also issue certificates to other modules running on the IoT Edge device.
+In the example, notice there's an *iotedged workload ca edgegateway* in the certificate chain. It's the certificate authority (CA) that exists on the IoT Edge device known as *Edge CA* (formerly known as *Device CA* in version 1.1). Like the *DigiCert Global Root G2* in the earlier example, the *Edge CA* can issue other certificates. Most importantly, and also in this example, it issues the server certificate to *edgeHub* module. But, it can also issue certificates to other modules running on the IoT Edge device.
 
 > [!IMPORTANT]
 > By default without configuration, *Edge CA* is automatically generated by IoT Edge module runtime when it starts for the first time, known as *quickstart Edge CA*, and then it issues a certificate to *edgeHub* module. This process speeds downstream device connection by allowing *edgeHub* to present a valid certificate that is signed. Without this feature, you'd have to get your CA to issue a certificate for *edgeHub* module. Using an automatically generated *quickstart Edge CA* isn't supported for use in production. For more information on quickstart Edge CA, see [Quickstart Edge CA](how-to-manage-device-certificates.md#quickstart-edge-ca).
@@ -376,7 +376,7 @@ A certificate authority (CA) issues digital certificates. The CA acts as a trust
 
 ### Root CA certificate
 
-A root CA certificate is the root of trust for the process. In production, you usually buy this CA certificate from a trusted commercial certificate authority like Baltimore, Verisign, or DigiCert. If you control all devices connecting to your IoT Edge devices, you can use a corporate certificate authority. In both cases, the certificate chain from IoT Edge to IoT Hub uses the root CA certificate. Downstream IoT devices must trust the root certificate. Store the root CA certificate in the trusted root certificate authority store or provide the certificate details in your application code.
+A root CA certificate is the root of trust for the process. In production, you usually buy this CA certificate from a trusted commercial certificate authority like DigiCert. If you control all devices connecting to your IoT Edge devices, you can use a corporate certificate authority. In both cases, the certificate chain from IoT Edge to IoT Hub uses the root CA certificate. Downstream IoT devices must trust the root certificate. Store the root CA certificate in the trusted root certificate authority store or provide the certificate details in your application code.
 
 ### Intermediate certificates
 
