Audit key-vault/certificates docset: fix links, style, grammar

- Fix broken PowerShell docs link in overview-renew-certificate.md
- Fix incorrect CLI anchor for list-versions command
- Fix 'Save a secret' heading → 'Save a certificate' in Java quickstart
- Normalize [!Note] → [!NOTE] across multiple files
- Remove legacy '| Microsoft Docs' from title fields
- Replace 'Click' with 'Select' per MS style guide
- Fix grammar: 'an TLS' → 'a TLS', subject-verb agreement
- Rename 'See Also' → 'Next steps' in create-certificate.md
- Fix heading casing in certificate-scenarios.md
- Update stale faq.yml (ms.date from 2022) and modernize RBAC guidance
- Remove deprecated tags: field from front matter
- Fix escaped quotes in PowerShell quickstart code block
- Remove 'Applies To: Azure' from create-certificate-scenarios.md
- Update ms.date on all modified files

Co-authored-by: Copilot <[email protected]>

Author: msmbaldwin

articles/key-vault/certificates/about-certificates.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: overview
-ms.date: 04/14/2025
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 ms.custom: sfi-image-nochange
@@ -23,7 +23,7 @@ Azure Key Vault certificate support provides for management of your X.509 certif
 - Allows a certificate owner to provide contact information for notifications about the lifecycle events of expiration and renewal.  
 - Supports automatic renewal with selected issuers: Key Vault partner X.509 certificate providers and CAs.
 
-  > [!Note]
+  > [!NOTE]
   > Non-partnered providers and authorities are also allowed but don't support automatic renewal.
 
 For details on certificate creation, see [Certificate creation methods](create-certificate.md).
@@ -65,14 +65,14 @@ A response includes these additional read-only attributes:
 - `exp`: `IntDate` contains the value of the expiration date of the X.509 certificate.  
 - `nbf`: `IntDate` contains the value of the "not before" date of the X.509 certificate.  
 
-> [!Note] 
+> [!NOTE] 
 > If a Key Vault certificate expires it can still be retrieved, but certificate may become inoperable in scenarios like TLS protection where expiration of certificate is validated.  
 
 ### Tags
 
 Tags for certificates are a client-specified dictionary of key/value pairs, much like tags in keys and secrets.  
 
-> [!Note]
+> [!NOTE]
 > A caller can read tags if they have the *list* or *get* permission to that object type (keys, secrets, or certificates).
 
 ## Certificate policy
@@ -136,7 +136,7 @@ Key Vault allows for the creation of multiple issuer objects with different issu
 
 Issuer objects are created in the vault. They can be used only with Key Vault certificates in the same vault.  
 
->[!Note]
+>[!NOTE]
 >Publicly trusted certificates are sent to CAs and certificate transparency (CT) logs outside the Azure boundary during enrollment. They're covered by the GDPR policies of those entities.
 
 ## Certificate contacts

articles/key-vault/certificates/certificate-scenarios.md

@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: get-started
-ms.date: 01/30/2026
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 ms.custom: sfi-image-nochange
@@ -58,7 +58,7 @@ Note - This process, through **Step 3b**, is a onetime operation.
 
 **Step 4:** The following descriptions correspond to the green numbered steps in the preceding diagram.  
   (1) - In the diagram above, your application is creating a certificate which internally begins by creating a key in your key vault.  
-  (2) - Key Vault sends an TLS/SSL Certificate Request to the CA.  
+  (2) - Key Vault sends a TLS/SSL Certificate Request to the CA.  
   (3) - Your application polls, in a loop and wait process, for your Key Vault for certificate completion. The certificate creation is complete when Key Vault receives the CA’s response with x509 certificate.  
   (4) - The CA responds to Key Vault's TLS/SSL Certificate Request with an X509 TLS/SSL Certificate.  
   (5) - Your new certificate creation completes with the merger of the X509 Certificate for the CA.  
@@ -94,7 +94,7 @@ Key Vault service sends requests to CA (outbound traffic). Therefore, it’s ful
 
 -   Also, the user can edit the policy, which is functional at the time of import but contains defaults where no information was specified at import. For example, no issuer info  
 
-### Formats of Import we support
+### Formats of import we support
 Azure Key Vault supports .pem and .pfx certificate files for importing Certificates into Key vault.
 We support the following type of Import for PEM file format. A single PEM encoded certificate along with a PKCS#8 encoded, unencrypted key which has the following format:
 
@@ -109,18 +109,18 @@ We support the following type of Import for PEM file format. A single PEM encode
 When you are importing the certificate, you need to ensure that the key is included in the file itself. If you have the private key separately in a different format, you would need to combine the key with the certificate. Some certificate authorities provide certificates in different formats, therefore before importing the certificate, make sure that they are either in .pem or .pfx format. 
 
 
->[!Note]
+>[!NOTE]
 >Ensure that no other meta data is present in the certificate file and that the private key not showing as encrypted.
 
-### Formats of Merge CSR we support
+### Formats of merge CSR we support
 
 Azure Key Vault supports PKCS#8 encoded certificate with below headers:
 
 -----BEGIN CERTIFICATE-----
 
 -----END CERTIFICATE-----
 
->[!Note]
+>[!NOTE]
 > P7B (PKCS#7) signed certificates chain, commonly used by Certificate Authorities (CAs), is supported as long as is base64 encoded. You may use [certutil -encode](/windows-server/administration/windows-commands/certutil#-encode) to convert to supported format.
 
 ## Creating a certificate with a CA not partnered with Key Vault  

articles/key-vault/certificates/create-certificate-scenarios.md

@@ -14,7 +14,6 @@ ms.author: mbaldwin
 ---
 
 # Monitor and manage certificate creation
-Applies To: Azure
 
 The scenarios / operations outlined in this article are:
 

articles/key-vault/certificates/create-certificate.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: concept-article
-ms.date: 04/14/2025
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 
@@ -38,9 +38,9 @@ The following descriptions correspond to the green lettered steps in the precedi
 The following descriptions correspond to the green lettered steps in the preceding diagram.
 
 1. In the diagram, your application is creating a certificate, which internally begins by creating a key in your key vault.
-2. Key Vault sends an TLS/SSL Certificate Request to the CA.
+2. Key Vault sends a TLS/SSL Certificate Request to the CA.
 3. Your application polls, in a loop and wait process, for your Key Vault for certificate completion. The certificate creation is complete when Key Vault receives the CA’s response with x509 certificate.
-4. The CA responds to Key Vault's TLS/SSL Certificate Request with an TLS/SSL X.509 certificate.
+4. The CA responds to Key Vault's TLS/SSL Certificate Request with a TLS/SSL X.509 certificate.
 5. Your new certificate creation completes with the merger of the TLS/SSL X.509 certificate for the CA.
 
 ## Asynchronous process
@@ -50,7 +50,7 @@ KV certificate creation is an asynchronous process. This operation will create a
 When a request to create a KV certificate completes, the status of the pending object will change to "completed" from "in progress", and a new version of the KV certificate will be created. This will become the current version.  
 
 ## First creation
- When a KV certificate is created for the first time, an addressable key and secret is also created with the same name as the certificate. If the name is already in use, then the operation will fail with an http status code of 409 (conflict).
+ When a KV certificate is created for the first time, an addressable key and secret are also created with the same name as the certificate. If the name is already in use, then the operation will fail with an http status code of 409 (conflict).
  The addressable key and secret get their attributes from the KV certificate attributes. The addressable key and secret created this way are marked as managed keys and secrets, whose lifetime is managed by Key Vault. Managed keys and secrets are read-only. Note: If a KV certificate expires or is disabled, the corresponding key and secret will become inoperable.  
 
  If this is the first operation to create a KV certificate, a policy is required.  A policy can also be supplied with successive create operations to replace the policy resource. If a policy isn't supplied, then the policy resource on the service is used to create a next version of KV certificate. While a request to create a next version is in progress, the current KV certificate, and corresponding addressable key and secret, remain unchanged.  
@@ -89,7 +89,7 @@ When an order is placed with the issuer provider, it may honor or override the x
 
  Authorization: Requires the certificates/create permission.
 
-## See Also
+## Next steps
 
  - How-to guide to create certificates in Key Vault using [Portal](./quick-create-portal.md), [Azure CLI](./quick-create-cli.md), [Azure PowerShell](./quick-create-powershell.md)
  - [Monitor and manage certificate creation](create-certificate-scenarios.md)

articles/key-vault/certificates/faq.yml

@@ -8,7 +8,7 @@ metadata:
   ms.service: azure-key-vault
   ms.subservice: certificates
   ms.topic: overview
-  ms.date: 05/25/2022
+  ms.date: 04/10/2026
   ms.author: mbaldwin
 title: Importing Azure Key Vault certificates FAQ
 summary: This article answers frequently asked questions about Azure Key Vault certificates.
@@ -46,9 +46,9 @@ sections:
       - question: |
           How can I resolve this error? "Error type: Access denied or user is unauthorized to import certificate"
         answer: |
-          The import operation requires that you grant the user permissions to import the certificate under the access policies. To do so, go to your key vault, select **Access policies** > **Add Access Policy** > **Select Certificate Permissions** > **Principal**, search for the user, and then add the user's email address. 
+          The import operation requires that you grant the user permissions to import the certificate. If you're using Azure RBAC (recommended), assign the **Key Vault Certificates Officer** role to the user. If you're using access policies (legacy), go to your key vault, select **Access policies** > **Add Access Policy** > **Select Certificate Permissions** > **Principal**, search for the user, and then add the user's email address. 
           
-          For more information about certificate-related access policies, see [About Azure Key Vault certificates](./about-certificates.md#certificate-access-control).
+          For more information about certificate-related access control, see [About Azure Key Vault certificates](./about-certificates.md#certificate-access-control).
       - question: |
           How can I resolve this error? "Error type: Conflict when creating a certificate"
         answer: |

articles/key-vault/certificates/how-to-export-certificate.md

@@ -3,7 +3,6 @@ title: Export certificates from Azure Key Vault
 description: Learn how to export certificates from Azure Key Vault.
 services: key-vault
 author: msmbaldwin
-tags: azure-key-vault
 
 ms.service: azure-key-vault
 ms.subservice: certificates

articles/key-vault/certificates/overview-renew-certificate.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: overview
-ms.date: 03/26/2026
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 ---
@@ -76,7 +76,7 @@ Use the Azure CLI [az keyvault certificate create](/cli/azure/keyvault/certifica
 az keyvault certificate create --vault-name "<vault-name>" -n "<certificate-name>" -p "$(az keyvault certificate get-default-policy)"
 ```
 
-After renewing the certificate, you can view all the versions of the certificate using the Azure CLI [az keyvault certificate list-versions](/cli/azure/keyvault/certificate#az-keyvault-certificate-list) command:
+After renewing the certificate, you can view all the versions of the certificate using the Azure CLI [az keyvault certificate list-versions](/cli/azure/keyvault/certificate#az-keyvault-certificate-list-versions) command:
 
 ```azurecli-interactive
 az keyvault certificate list-versions --vault-name "<vault-name>" -n "<certificate-name>"
@@ -92,7 +92,7 @@ $Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs
 Add-AzKeyVaultCertificate -VaultName "<vault-name>" -Name "<certificate-name>" -CertificatePolicy $Policy
 ```
 
-After renewing the certificate, you can view all the versions of the certificate using the Azure PowerShell [Get-AzKeyVaultCertificate](/cli/azure/keyvault/certificate#az-keyvault-certificate-list) cmdlet:
+After renewing the certificate, you can view all the versions of the certificate using the Azure PowerShell [Get-AzKeyVaultCertificate](/powershell/module/az.keyvault/get-azkeyvaultcertificate) cmdlet:
 
 ```azurepowershell-interactive
 Get-AzKeyVaultCertificate "<vault-name>" -Name "<certificate-name>" -IncludeVersions

articles/key-vault/certificates/quick-create-java.md

@@ -4,7 +4,7 @@ description: Learn about the Azure Key Vault Certificate client library for Java
 author: msmbaldwin
 ms.custom: devx-track-java, devx-track-azurecli, devx-track-azurepowershell, mode-api, passwordless-java, devx-track-extended-java
 ms.author: mbaldwin
-ms.date: 03/30/2026
+ms.date: 04/10/2026
 
 ms.service: azure-key-vault
 ms.subservice: certificates
@@ -187,7 +187,7 @@ CertificateClient certificateClient = new CertificateClientBuilder()
     .buildClient();
 ```
 
-### Save a secret
+### Save a certificate
 
 Now that your application is authenticated, you can create a certificate in your key vault using the `certificateClient.beginCreateCertificate` method. This requires a name for the certificate and a certificate policy -- we've assigned the value "myCertificate" to the `certificateName` variable in this sample and use a default policy.
 

articles/key-vault/certificates/quick-create-portal.md

@@ -1,13 +1,13 @@
 ---
-title: Azure Quickstart - Set and retrieve a certificate from Key Vault using Azure portal | Microsoft Docs
+title: Azure Quickstart - Set and retrieve a certificate from Key Vault using Azure portal
 description: Quickstart showing how to set and retrieve a certificate from Azure Key Vault using the Azure portal
 services: key-vault
 author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: quickstart
 ms.custom: mvc, mode-ui, sfi-image-nochange
-ms.date: 01/30/2026
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store certificates in Azure
@@ -28,24 +28,24 @@ Sign in to the [Azure portal](https://portal.azure.com).
 
 ## Add a certificate to Key Vault
 
-To add a certificate to the vault, you just need to take a couple of additional steps. In this case, we add a self-signed certificate that could be used by an application. The certificate is called **ExampleCertificate**.
+To add a certificate to the vault, you just need to take a couple of additional steps. In this case, you add a self-signed certificate that could be used by an application. The certificate is called **ExampleCertificate**.
 
 1. On the Key Vault properties pages, select **Certificates**.
-2. Click on **Generate/Import**.
+2. Select **Generate/Import**.
 3. On the **Create a certificate** screen choose the following values:
     - **Method of Certificate Creation**: Generate.
     - **Certificate Name**: ExampleCertificate.
     - **Subject**: CN=ExampleDomain
     - Leave the other values to their defaults. (By default, if you don't specify anything special in Advanced policy, it'll be usable as a client auth certificate.)
- 4. Click **Create**.
+ 4. Select **Create**.
 
-Once you receive the message that the certificate has been successfully created, you may click on it on the list. You can then see some of the properties. If you click on the current version, you can see the value you specified in the previous step.
+Once you receive the message that the certificate has been successfully created, you can select it on the list. You can then see some of the properties. If you select the current version, you can see the value you specified in the previous step.
 
 ![Certificate properties](../media/certificates/quick-create-portal/current-version-hidden.png)
 
 ## Export certificate from Key Vault
 
-By clicking "Download in CER format" or "Download in PFX/PEM format" button, you can download the certificate.
+By selecting **Download in CER format** or **Download in PFX/PEM format** button, you can download the certificate.
 
 ![Certificate download](../media/certificates/quick-create-portal/current-version-shown.png)
 

articles/key-vault/certificates/quick-create-powershell.md

@@ -7,7 +7,7 @@ ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: quickstart
 ms.custom: mvc, devx-track-azurepowershell, mode-api
-ms.date: 03/26/2026
+ms.date: 04/10/2026
 ms.author: mbaldwin
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure
 ---
@@ -40,7 +40,7 @@ You can now add a certificate to the vault. This certificate could be used by an
 Use these commands to create a self-signed certificate with policy called **ExampleCertificate** :
 
 ```azurepowershell-interactive
-$Policy = New-AzKeyVaultCertificatePolicy -SecretContentType \"application/x-pkcs12\" -SubjectName \"CN=<domain-name>\" -IssuerName \"Self\" -ValidityInMonths 6 -ReuseKeyOnRenewal
+$Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=<domain-name>" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal
 
 Add-AzKeyVaultCertificate -VaultName "<vault-name>" -Name "ExampleCertificate" -CertificatePolicy $Policy
 ```