Expand Edge CA renewal guidance and add troubleshooting entry

- Expand 'Plan for Edge CA renewal' section with timing table, restart
  sequence details, and module resilience best practices
- Add troubleshooting entry for custom modules losing connectivity after
  Edge CA certificate renewal
- Link to IoT Hub SDK retry documentation for connection resilience

Addresses recurring community issue (Azure/iotedge#7497, #7321, #6044,
#6008, #7446) where custom modules stop sending messages after the
30-day Edge CA renewal cycle.

Author: jlian

articles/iot-edge/how-to-manage-device-certificates.md

@@ -4,7 +4,7 @@ titleSuffix: Azure IoT Edge
 description: How to install and manage certificates on an Azure IoT Edge device to prepare for production deployment. 
 author: sethmanheim
 ms.author: sethm
-ms.date: 03/23/2026
+ms.date: 04/13/2026
 ms.topic: concept-article
 ms.service: azure-iot-edge
 services: iot-edge
@@ -396,7 +396,28 @@ You can provide your own certificates and manage them manually. However, to avoi
 
 When the Edge CA certificate renews, it regenerates all the certificates it issued, like module server certificates. To give the modules new server certificates, IoT Edge restarts all modules when the Edge CA certificate renews.
 
-To minimize the potential negative effects of module restarts, plan to renew the Edge CA certificate at a specific time (for example, `threshold = "10d"`) and notify dependents of the solution about the downtime.
+The renewal happens automatically based on the `auto_renew` threshold you configure. The following table shows when renewal occurs for common certificate lifetimes, using the default threshold of `80%`:
+
+| Certificate lifetime | Default threshold (80%) | Renewal occurs at |
+|---|---|---|
+| 90 days | 80% | Day 72 (18 days before expiry) |
+| 30 days | 80% | Day 24 (6 days before expiry) |
+| 7 days | 80% | Day 5.6 (~34 hours before expiry) |
+
+During the renewal, the IoT Edge runtime:
+
+1. Regenerates the Edge CA certificate.
+1. Stops all running modules.
+1. Restarts each module so it receives a new server certificate.
+
+This restart cycle causes a brief disruption. Custom modules that connect to EdgeHub must reconnect after the restart. If a module doesn't implement connection retry logic, it might fail to reestablish communication with EdgeHub and stop sending messages.
+
+To minimize the potential negative effects of module restarts:
+
+- **Schedule renewal for a maintenance window.** Set `threshold` to an absolute time (for example, `threshold = "10d"`) so the renewal happens at a predictable point before expiry.
+- **Implement connection retry in custom modules.** Modules should use the Azure IoT device SDK's built-in retry policies, or implement their own exponential backoff retry logic, to automatically reconnect to EdgeHub after a restart. For more information, see [Manage connectivity and reliable messaging by using Azure IoT Hub device SDKs](../iot-hub/iot-hub-reliability-features-in-sdks.md).
+- **Set the module restart policy to `always`.** In your deployment manifest, set `"restartPolicy": "always"` for each custom module so the container runtime restarts modules that fail after the certificate renewal cycle.
+- **Notify dependents of downtime.** If your solution has upstream services or dashboards that consume IoT Edge module telemetry, notify those dependents that a brief disruption will occur during the renewal window.
 
 ### Example: use Edge CA certificate files from PKI provider
 

articles/iot-edge/troubleshoot-common-errors.md

@@ -3,7 +3,7 @@ title: Troubleshoot Azure IoT Edge common errors
 description: Resolve common issues in Azure IoT Edge solutions. Learn how to troubleshoot issues with provisioning, deployment, the IoT Edge runtime, and networking.
 author: sethmanheim
 ms.author: sethm
-ms.date: 03/03/2026
+ms.date: 04/13/2026
 ms.topic: troubleshooting-general
 ms.service: azure-iot-edge
 services: iot-edge
@@ -378,6 +378,30 @@ If you change the TTL value for your application to a value that's shorter than
 
 To configure the *MessageCleanupIntervalSecs* value, set the environment variable in the deployment manifest for the IoT Edge hub module. For more information about setting runtime environment variables, see [Edge Agent and Edge Hub Environment Variables](https://github.com/Azure/iotedge/blob/main/doc/EnvironmentVariables.md).
 
+### Custom modules stop sending messages after Edge CA certificate renewal
+
+#### Symptoms
+
+Custom modules stop communicating with EdgeHub after running for a period of time, typically around 24-30 days when using the default 30-day quickstart Edge CA certificate, or at 80% of the configured certificate lifetime. The EdgeHub and EdgeAgent modules continue to run, but custom modules can no longer send or receive messages through EdgeHub.
+
+#### Cause
+
+When the Edge CA certificate auto-renews, IoT Edge stops and restarts all modules so they receive new server certificates. After the restart, modules must reestablish their connection to EdgeHub. If a custom module doesn't implement connection retry logic, the module starts but can't reconnect to EdgeHub because the new EdgeHub server certificate isn't yet available or the module doesn't retry the initial connection attempt.
+
+#### Solution
+
+Check the EdgeAgent logs for certificate renewal events:
+
+```bash
+sudo iotedge logs edgeAgent | grep -i "renewal"
+```
+
+To resolve:
+
+1. Verify that each custom module has `"restartPolicy": "always"` in the deployment manifest.
+1. Implement connection retry logic in custom modules. Use the Azure IoT device SDK's built-in retry policies, or add exponential backoff retry logic so the module automatically reconnects to EdgeHub after a restart. For more information, see [Manage connectivity and reliable messaging by using Azure IoT Hub device SDKs](../iot-hub/iot-hub-reliability-features-in-sdks.md).
+1. To control when the renewal disruption occurs, set the `threshold` to an absolute time instead of a percentage. For example, `threshold = "10d"` triggers renewal 10 days before certificate expiry. For more information, see [Plan for Edge CA renewal](how-to-manage-device-certificates.md#plan-for-edge-ca-renewal).
+
 ### IoT Edge Hub reports System.FormatException error when using AMQP protocol
 
 #### Symptoms