Standardize placeholders in cloud-hsm docset

msmbaldwin · msmbaldwin · commit 8020cf94c8e2 · 2026-03-26T15:59:31.000-07:00
- Convert PascalCase placeholders to lowercase kebab-case
- Fix backslash-escaped placeholders to backtick-wrapped format
- Convert underscore separators to hyphens
- Update ms.date for modified files

Files modified:
- backup-restore.md
- pkcs-api-certificate-storage.md
- quickstart-powershell.md
- synchronize-users-keys.md
- troubleshoot.md
- tutorial-certificate-storage.md
- tutorial-operation-event-logging.md
diff --git a/articles/cloud-hsm/backup-restore.md b/articles/cloud-hsm/backup-restore.md
@@ -4,7 +4,7 @@ description: Learn how to back up and restore your Azure Cloud HSM resources, in
 author: msmbaldwin
 ms.service: azure-cloud-hsm
 ms.topic: tutorial
-ms.date: 03/20/2025
+ms.date: 03/26/2026
 ms.author: mbaldwin
 
 # Customer intent: As a security administrator, I need to back up and restore Azure Cloud HSM resources to ensure business continuity and facilitate disaster recovery.
@@ -49,10 +49,10 @@ Create a new user-assigned managed identity in your existing Azure Cloud HSM res
 ```azurepowershell-interactive
 # Define parameters for the new managed identity
 $identity = @{
-    Location          = "<RegionName>"                                         
-    ResourceName      = "<ManagedIdentityName>"                                         
-    ResourceGroupName = "<ResourceGroupName>"
-    SubscriptionID    = "<SubscriptionID>"     
+    Location          = "<location>"                                         
+    ResourceName      = "<managed-identity-name>"                                         
+    ResourceGroupName = "<resource-group>"
+    SubscriptionID    = "<subscription-id>"     
 }
 
 # Create a new user-assigned managed identity in the specified resource group and location
@@ -71,21 +71,21 @@ Each Cloud HSM cluster can have only one managed identity. You can use the same
 ```azurepowershell-interactive
 # Define the parameters for the source Cloud HSM resource
 $sourceCloudHSM = @{
-    Location          = "<RegionName>"                              
+    Location          = "<location>"                              
     Sku               = @{ "family" = "B"; "Name" = "Standard_B1" } 
-    ResourceName      = "<SourceCloudHSMName>"                
+    ResourceName      = "<source-hsm-name>"                
     ResourceType      = "microsoft.hardwaresecuritymodules/cloudHsmClusters" 
-    ResourceGroupName = "<SourceResourceGroupName>"             
+    ResourceGroupName = "<source-resource-group>"             
     Force             = $true                                    
 }
 
 # Define the parameters for the destination Cloud HSM resource
 $destinationCloudHSM = @{
-    Location          = "<RegionName>"                              
+    Location          = "<location>"                              
     Sku               = @{ "family" = "B"; "Name" = "Standard_B1" } 
-    ResourceName      = "<DestinationCloudHSMName>"            
+    ResourceName      = "<destination-hsm-name>"            
     ResourceType      = "microsoft.hardwaresecuritymodules/cloudHsmClusters" 
-    ResourceGroupName = "<DestinationResourceGroupName>"             
+    ResourceGroupName = "<destination-resource-group>"             
     Force             = $true                                    
 }
 
@@ -95,11 +95,11 @@ $chsmMSIPatch = '{
         "Family": "B",
         "Name": "Standard_B1"
     },
-    "Location": "<RegionName>",    
+    "Location": "<location>",    
     "Identity": {
         "type": "UserAssigned",
         "userAssignedIdentities": {
-            "/subscriptions/<SubscriptionID>/resourcegroups/<ResourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<ManagedIdentityName>": {}
+            "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>": {}
         }
     }
 }'
@@ -138,37 +138,37 @@ Read/write access is granted for both the source and the destination.
 
 ```azurepowershell-interactive
 # Define the subscription ID
-$subscriptionId = "<SubscriptionID>"
+$subscriptionId = "<subscription-id>"
 
 # Define storage account parameters
 $storageAccount = @{
-    Location          = "<RegionName>"                    
-    ResourceGroupName = "<BackupResourceGroupName>" 
-    AccountName       = "<ResourceName>"      # Name of the storage account
-    SkuName           = "<StorageAccountSKU>"     # Storage account tier (example: Standard_LRS)
-    Kind              = "<StorageAccountType>"       #Type of storage account (example: StorageV2)
+    Location          = "<location>"                    
+    ResourceGroupName = "<backup-resource-group>" 
+    AccountName       = "<storage-account-name>"      # Name of the storage account
+    SkuName           = "<storage-sku>"     # Storage account tier (example: Standard_LRS)
+    Kind              = "<storage-type>"       #Type of storage account (example: StorageV2)
 }
 
 # Define the blob container parameters
 $container = @{
     ResourceGroupName  = $storageAccount.ResourceGroupName # Resource group name where the storage account is located
     StorageAccountName = $storageAccount.AccountName      # Name of the storage account
-    ContainerName      = "<StorageContainerName>"              # Name of the blob container
+    ContainerName      = "<container-name>"              # Name of the blob container
 }
 
 # Define the private endpoint parameters
 # Storage accounts are publicly accessible, so put it behind a private virtual network
 $privateEndpoint = @{
-    Name              = "<PrivateEndpointName>"
-    VnetName          = "<ExistingVNetName>"  # Name of the existing virtual network
-    SubnetName        = "<ExistingSubnetName>"  # Name of the existing subnet within the virtual network
-    ResourceGroupName = "<ResourceGroupName>" # Resource group for private virtual network and subnet (example: CHSM-CLIENT-RG)
+    Name              = "<private-endpoint-name>"
+    VnetName          = "<vnet-name>"  # Name of the existing virtual network
+    SubnetName        = "<subnet-name>"  # Name of the existing subnet within the virtual network
+    ResourceGroupName = "<resource-group>" # Resource group for private virtual network and subnet (example: CHSM-CLIENT-RG)
 }
 
 # Define the role assignment parameters
 $roleAssignment = @{
     RoleDefinitionName = "Storage Blob Data Contributor"  # Minimum RBAC role required
-    PrincipalId        = "<PrincipalId>"  # The ID of the managed identity or user to assign the role to
+    PrincipalId        = "<principal-id>"  # The ID of the managed identity or user to assign the role to
     Scope              = "/subscriptions/$($subscriptionId)/resourceGroups/$($storageAccount.ResourceGroupName)/providers/Microsoft.Storage/storageAccounts/$($storageAccount.AccountName)"
 }
 
diff --git a/articles/cloud-hsm/pkcs-api-certificate-storage.md b/articles/cloud-hsm/pkcs-api-certificate-storage.md
@@ -5,7 +5,7 @@ author: keithp
 manager: keithp
 ms.service: azure-cloud-hsm
 ms.topic: tutorial
-ms.date: 03/20/2025
+ms.date: 03/26/2026
 ms.author: keithp
 ms.custom: pkcs11, certificate-management, x509-certificates, azure-cloud-hsm
 
@@ -118,7 +118,7 @@ The following attributes are applicable to X.509 public key certificates.
 
 ### C_DestroyObject
 
-The C_DestroyObject API takes a session handle, and the object handle associated with the certificate you want to delete. Invoking this function removes the specified certificate from the Azure Blob Storage Account by deleting the corresponding JWS blob named pkcs11_certificate_<cert_handle>.
+The C_DestroyObject API takes a session handle, and the object handle associated with the certificate you want to delete. Invoking this function removes the specified certificate from the Azure Blob Storage Account by deleting the corresponding JWS blob named `pkcs11_certificate_<cert-handle>`.
 
 Below is a code snippet demonstrating how to call C_DestroyObject for certificates (the same approach applies to keys).
 
@@ -349,7 +349,7 @@ Azure Cloud HSM includes sample application code to help validate certificate st
 
 ### Verify certificates in storage
 
-After a successful call to the C_CreateObject() API, the newly created certificate object will appear in your Azure Blob Storage account, as specified in the azcloudhsm_application.cfg file. The blob will be named using the format pkcs11_certificate_\<ObjectHandle\>, as shown below. Certificate objects are assigned object handles ranging from 0xFFF00000 to 0xFFFFFFFF (decimal range: 4,293,918,720 to 4,294,967,295), allowing support for up to 1,048,575 certificates.
+After a successful call to the C_CreateObject() API, the newly created certificate object will appear in your Azure Blob Storage account, as specified in the azcloudhsm_application.cfg file. The blob will be named using the format `pkcs11_certificate_<object-handle>`, as shown below. Certificate objects are assigned object handles ranging from 0xFFF00000 to 0xFFFFFFFF (decimal range: 4,293,918,720 to 4,294,967,295), allowing support for up to 1,048,575 certificates.
 
 From both Azure portal as well as from your Azure VM you can see the certificates stored.
 
diff --git a/articles/cloud-hsm/quickstart-powershell.md b/articles/cloud-hsm/quickstart-powershell.md
@@ -5,7 +5,7 @@ author: keithp
 manager: keithp
 ms.service: azure-cloud-hsm
 ms.topic: quickstart
-ms.date: 03/20/2025
+ms.date: 03/26/2026
 ms.author: keithp
 
 #customer intent: As an IT pro decision-maker, I'm looking for key storage capability within the Azure cloud platform that meets FIPS 140-3 Level 3 certification and that gives me exclusive access to a dedicated hardware security module.
@@ -36,11 +36,11 @@ The following example code creates a resource group and a Cloud HSM instance. Yo
 ```azurepowershell-interactive
 # Define variables for your Cloud HSM deployment
 $server = @{
-    Location = "<RegionName>"
+    Location = "<location>"
     Sku = @{"family" = "B"; "Name" = "Standard_B1" }
-    ResourceName = "<HSMName>"
+    ResourceName = "<hsm-name>"
     ResourceType = "microsoft.hardwaresecuritymodules/cloudHsmClusters"
-    ResourceGroupName = "<ResourceGroupName>"
+    ResourceGroupName = "<resource-group>"
     Force = $true
 }
 
@@ -63,9 +63,9 @@ If you plan to use backup and restore functionality, you can create and configur
 ```azurepowershell-interactive
 # Define parameters for the new managed identity
 $identity = @{
-    Location          = "<RegionName>"                                         
-    ResourceName      = "<ManagedIdentityName>"                                         
-    ResourceGroupName = "<ResourceGroupName>"
+    Location          = "<location>"                                         
+    ResourceName      = "<managed-identity-name>"                                         
+    ResourceGroupName = "<resource-group>"
 }
 
 # Create a new user-assigned managed identity
@@ -105,7 +105,7 @@ For production environments, we strongly recommend that you configure a private
 ```azurepowershell-interactive
 # Define private endpoint parameters
 $privateEndpoint = @{
-    Name = "<PrivateEndpointName>"
+    Name = "<private-endpoint-name>"
     ResourceGroupName = $server.ResourceGroupName
     Location = $server.Location
     Subnet = $subnet # You need to have $subnet defined with your subnet configuration
@@ -128,10 +128,10 @@ New-AzPrivateEndpoint @privateEndpoint
 When you run the `New-AzResource` command with the `-AsJob` parameter, it creates a background job to deploy your Cloud HSM resource. You can check the status of the deployment by running:
 
 ```azurepowershell-interactive
-Get-Job -Id <JobId> | Receive-Job
+Get-Job -Id <job-id> | Receive-Job
 ```
 
-In the preceding command, `<JobId>` is the ID that the system returned when you ran the `New-AzResource` command.
+In the preceding command, `<job-id>` is the ID that the system returned when you ran the `New-AzResource` command.
 
 The deployment is complete when you see a successful result from the job or when you can verify that the resource exists in your Azure subscription.
 
diff --git a/articles/cloud-hsm/synchronize-users-keys.md b/articles/cloud-hsm/synchronize-users-keys.md
@@ -5,7 +5,7 @@ author: keithp
 manager: davinune
 ms.service: azure-cloud-hsm
 ms.topic: how-to
-ms.date: 03/20/2025
+ms.date: 03/26/2026
 ms.author: keithp
 ---
 
@@ -54,7 +54,7 @@ All users in Azure Cloud HSM are fully managed by the customer. The service does
 1. Sign in as a cryptography officer (CO):
 
    ```bash
-   loginHSM CO admin <adminPassword>
+   loginHSM CO admin <admin-password>
    ```
 
    Verify that you successfully signed in to all three nodes:
@@ -74,11 +74,11 @@ All users in Azure Cloud HSM are fully managed by the customer. The service does
    server 0
    ```
 
-1. Run the `syncUser` command for each server where the user is missing. Replace `<UserID>` with the actual User ID:
+1. Run the `syncUser` command for each server where the user is missing. Replace `<user-id>` with the actual User ID:
 
    ```bash
-   syncUser <UserID> 1
-   syncUser <UserID> 2
+   syncUser <user-id> 1
+   syncUser <user-id> 2
    ```
 
    > [!NOTE]
@@ -116,7 +116,7 @@ When you create keys, it's your responsibility to ensure keys are present on all
 1. Sign in as a cryptography officer (CO):
 
    ```bash
-   loginHSM CO admin <adminPassword>
+   loginHSM CO admin <admin-password>
    ```
 
    Verify that you successfully signed in to all three nodes:
@@ -143,11 +143,11 @@ When you create keys, it's your responsibility to ensure keys are present on all
    server 0
    ```
 
-1. Run the `syncKey` command for each server where the key is missing. Replace `<KeyHandle>` with the actual key handle ID:
+1. Run the `syncKey` command for each server where the key is missing. Replace `<key-handle>` with the actual key handle ID:
 
    ```bash
-   syncKey <KeyHandle> 1
-   syncKey <KeyHandle> 2
+   syncKey <key-handle> 1
+   syncKey <key-handle> 2
    ```
 
    For example, to synchronize key handle 262150 to servers 1 and 2:
diff --git a/articles/cloud-hsm/troubleshoot.md b/articles/cloud-hsm/troubleshoot.md
@@ -5,7 +5,7 @@ author: keithp
 manager: davinune
 ms.service: azure-cloud-hsm
 ms.topic: troubleshooting-general
-ms.date: 03/20/2025
+ms.date: 03/26/2026
 ms.author: keithp
 ---
 
@@ -184,7 +184,7 @@ cd C:\Program Files\Microsoft Azure Cloud HSM Client SDK
 
 The PKCS#11 library knows how to find the client configuration because you must have a copy of your partition owner certificate (`PO.crt`) on the application server that's running your application and using the PKCS#11 library. In addition to the partition owner certificate:
 
-- You have to update `/azcloudhsm_client/azcloudhsm_client.cfg` on the application server that has the SDK installed to point to your Azure Cloud HSM deployment (that is, `hsm1.chsm-<resourcename>-<uniquestring>.privatelink.cloudhsm.azure.net`).
+- You have to update `/azcloudhsm_client/azcloudhsm_client.cfg` on the application server that has the SDK installed to point to your Azure Cloud HSM deployment (that is, `hsm1.chsm-<resource-name>-<unique-string>.privatelink.cloudhsm.azure.net`).
 - The `azcloudhsm_client` tool must be running on the application server that connects to your Azure Cloud HSM deployment.
 - You must specify a PIN within your PKCS#11 application by using the syntax `<username>:<password>`. This PIN is used for calling `C_Login` to your Azure Cloud HSM deployment.
 - You must include `pkcs11_headers/include/cryptoki.h` and `pkcs11_headers/include/pkcs11t.h` in your PKCS#11 application to use the PKCS#11 library for Azure Cloud HSM.
@@ -193,7 +193,7 @@ The PKCS#11 library knows how to find the client configuration because you must
 
 The `azcloudhsm_pkcs11.dll` file in the Azure Cloud HSM Windows SDK knows how to find the client configuration because you must have a copy of your partition owner certificate (`PO.crt`) on the application server that's running your application and using the PKCS#11 library. In addition to the partition owner certificate:
 
-- You have to update `/azcloudhsm_client/azcloudhsm_client.cfg` on the application server that has the SDK installed to point to your Azure Cloud HSM deployment (that is, `hsm1.chsm-<resourcename>-<uniquestring>.privatelink.cloudhsm.azure.net`).
+- You have to update `/azcloudhsm_client/azcloudhsm_client.cfg` on the application server that has the SDK installed to point to your Azure Cloud HSM deployment (that is, `hsm1.chsm-<resource-name>-<unique-string>.privatelink.cloudhsm.azure.net`).
 - The `azcloudhsm_client` tool must run on the application server that connects to your Azure Cloud HSM deployment.
 - You must specify a PIN within your PKCS#11 application by using the syntax `<username>:<password>`. This PIN is used for calling `C_Login` to your Azure Cloud HSM deployment.
 - You must include `pkcs11_headers\include\cryptoki.h` and `pkcs11_headers\include\pkcs11t.h` in your PKCS#11 application to use the PKCS#11 library for Azure Cloud HSM.
diff --git a/articles/cloud-hsm/tutorial-certificate-storage.md b/articles/cloud-hsm/tutorial-certificate-storage.md
@@ -5,7 +5,7 @@ author: keithp
 manager: keithp
 ms.service: azure-cloud-hsm
 ms.topic: tutorial
-ms.date: 03/20/2025
+ms.date: 03/26/2026
 ms.author: keithp
 ms.custom: certificate-storage, pkcs11, azure-blob-storage, managed-identity
 
@@ -26,7 +26,7 @@ The following prerequisites are required to support certificate storage with Azu
 - Azure Cloud HSM resource is deployed, initialized, and configured.
 - Azure Cloud HSM Client SDK
 - Copy of partition owner certificate "PO.crt" on application server.
-- Known address of your HSM "hsm1.chsm-\<resourcename\>-\<uniquestring\>.privatelink.cloudhsm.azure.net".
+- Known address of your HSM `hsm1.chsm-<resource-name>-<unique-string>.privatelink.cloudhsm.azure.net`.
 - Knowledge of Crypto User credentials
 
 ### Certificate storage prerequisites
diff --git a/articles/cloud-hsm/tutorial-operation-event-logging.md b/articles/cloud-hsm/tutorial-operation-event-logging.md
