Docs for Certificatre Registration (NuGet#886)

* register certs doc

* Cert registration. Update related topics

* fix broken links. Update TOC

* fix warning within the Important note

* Update Signed-Packages-Reference.md

* Small edits, set ms.author to MSFT alias

* Small edits

* Small edits

* Integrate cert reg in current sign reference page (merging anand branch)

* fix bookmark links

* Small edits, image borders, and checking en-us links

* Update Publish-a-package.md

* Update TOC.md

* update signers config screenshot

* add sig requirements

* Small edit

* Change v3 feed from link to code

* Tweak link

* Edits

* Link

Author: rido-min

docs/TOC.md

@@ -84,7 +84,7 @@
 ## [Errors and warnings](reference/errors-and-warnings.md)
 ## [ID prefix reservation](reference/id-prefix-reservation.md)
 ## [NuGet client SDK](reference/nuget-client-sdk.md)
-## [Signed packages reference](reference/signed-packages-reference.md)
+## [Signed packages](reference/signed-packages-reference.md)
 ## [Organizations on nuget.org](reference/organizations-on-nuget-org.md)
 ## Extensibility
 ### [NuGet credential providers for Visual Studio](reference/extensibility/nuget-credential-providers-for-visual-studio.md)

docs/consume-packages/Packages-and-Source-Control.md

@@ -76,7 +76,7 @@ To disable source control integration with TFVC for selected files:
 
 1. If you are using TFS 2010 or earlier, cloak the `packages` folder in your workspace mappings.
 
-1. On TFS 2012 or later, or with Visual Studio Team Services, create a `.tfignore` file as described on [AddFiles to the Server](https://www.visualstudio.com/en-us/docs/tfvc/add-files-server#tfignore). In that file, include the content below to explicitly ignore modifications to the `\packages` folder on the repository level and a few other intermediate files. (You can create the file in Windows Explorer using the name a `.tfignore.` with the trailing dot, but you might need to disable the "Hide known file extensions" option first.):
+1. On TFS 2012 or later, or with Visual Studio Team Services, create a `.tfignore` file as described on [AddFiles to the Server](/vsts/tfvc/add-files-server.md?view=vsts#tfignore). In that file, include the content below to explicitly ignore modifications to the `\packages` folder on the repository level and a few other intermediate files. (You can create the file in Windows Explorer using the name a `.tfignore.` with the trailing dot, but you might need to disable the "Hide known file extensions" option first.):
 
    ```cli
    # Ignore NuGet Packages

docs/create-packages/Publish-a-package.md

@@ -4,7 +4,7 @@ description: Detailed instructions for how to publish a NuGet package to nuget.o
 author: kraigb
 ms.author: kraigb
 manager: douge
-ms.date: 03/19/2018
+ms.date: 05/18/2018
 ms.topic: conceptual
 ms.reviewer: anangaur
 ---
@@ -68,6 +68,13 @@ To push packages to nuget.org you must use [nuget.exe v4.1.0 or above](https://w
     nuget push YourPackage.nupkg -Source https://api.nuget.org/v3/index.json
     ```
 
+#### Publish signed packages
+
+To submit signed packages, you must first [register the certificate](../reference/Signed-Packages-Reference.md#register-certificate-on-nugetorg) used for signing the packages. 
+
+> [!Warning]
+> nuget.org rejects packages that don't satisfy the [signed package requirements](../reference/Signed-Packages-Reference.md#signature-requirements-on-nugetorg).
+
 ### Package validation and indexing
 
 Packages pushed to nuget.org undergo several validations, such as virus checks. (All packages on nuget.org are periodically scanned.)

docs/create-packages/Sign-a-Package.md

@@ -21,9 +21,6 @@ Signing a package is a process that makes sure the package has not been modified
 
 1. [A code signing certificate](../reference/signed-packages-reference.md#get-a-code-signing-certificate).
 
-> [!Warning]
-> nuget.org does not currently accept signed packages. You can sign packages for publishing to custom feeds.
-
 ## Sign a package
 
 To sign a package, use [nuget sign](../tools/cli-ref-sign.md):

docs/reference/Errors-and-Warnings.md

@@ -4,7 +4,7 @@ description: Complete reference for warnings and errors issued from NuGet during
 author: kraigb
 ms.author: kraigb
 manager: douge
-ms.date: 03/06/2018
+ms.date: 05/18/2018
 ms.topic: reference
 ms.reviewer: anangaur
 f1_keywords:
@@ -118,7 +118,7 @@ The errors and warnings listed here are available only with [PackageReference-ba
 | --- | --- |
 | **Issue** | The package cannot be found on any sources. |
 | **Example message** | *Unable to find package System.Missing. No packages exist with this id in source(s): dotnet-core, dotnet-roslyn, nuget.org* |
-| **Solution** | Examine the project's dependencies in Visual Studio to be sure you're using the correct package identifier and version number. Also check that the [NuGet configuration](../consume-packages/Configuring-NuGet-Behavior.md) identifies the package sources your expect to be using. If you use packages that have [Semantic Versioning 2.0.0](https://docs.microsoft.com/en-us/nuget/reference/package-versioning#semantic-versioning-200), please make sure that you are using the [V3 feed](https://api.nuget.org/v3/index.json) in the [NuGet configuration](../consume-packages/Configuring-NuGet-Behavior.md). |
+| **Solution** | Examine the project's dependencies in Visual Studio to be sure you're using the correct package identifier and version number. Also check that the [NuGet configuration](../consume-packages/Configuring-NuGet-Behavior.md) identifies the package sources your expect to be using. If you use packages that have [Semantic Versioning 2.0.0](../reference/package-versioning.md#semantic-versioning-200), please make sure that you are using the V3 feed, `https://api.nuget.org/v3/index.json`, in the [NuGet configuration](../consume-packages/Configuring-NuGet-Behavior.md). |
 
 ### NU1102
 

docs/reference/Signed-Packages-Reference.md

@@ -1,10 +1,10 @@
 ---
-title: Signed NuGet Packages Reference
+title: Signed Packages
 description: Requirements for NuGet package signing.
 author: rido-min
-ms.author: rido-min
+ms.author: rmpablos
 manager: unnir
-ms.date: 04/24/2018
+ms.date: 05/18/2018
 ms.topic: reference
 ms.reviewer: ananguar
 ---
@@ -17,15 +17,10 @@ NuGet packages can include a digital signature that provides protection against
 
 Signed packages provide the strongest end-to-end validation. An author signature guarantees that the package has not been modified since the author signed the package, no matter from which repository or what transport method the package is delivered.
 
-Consumers who demand a locked-down environment can require packages signed with a specific author certificate.
-
-Additionally, author-signed packages provide an extra authentication mechanism to the nuget.org publishing pipeline because the signing certificate must be registered ahead of time.
+Additionally, author-signed packages provide an extra authentication mechanism to the nuget.org publishing pipeline because the signing certificate must be registered ahead of time. For more information, see [Register certificates](#register-certificate-on-nugetorg).
 
 For details on creating a signed package, see [Signing Packages](../create-packages/Sign-a-package.md) and the [nuget sign command](../tools/cli-ref-sign.md).
 
-> [!Important]
-> nuget.org does not presently accept signed packages. You can sign packages for publishing to custom feeds.
-
 > [!Important]
 > Package signing is currently supported only when using nuget.exe on Windows. Verification of signed packages is currently supported only when using nuget.exe or Visual Studio on Windows.
 
@@ -35,7 +30,7 @@ Package signing requires a code signing certificate, which is a special type of
 
 ## Get a code signing certificate
 
-Valid certificates may be obtained from public certificate authorities like:
+Valid certificates may be obtained from a public certificate authority like:
 
 - [Symantec](https://trustcenter.websecurity.symantec.com/process/trust/productOptions?productType=SoftwareValidationClass3)
 - [DigiCert](https://www.digicert.com/code-signing/)
@@ -48,7 +43,7 @@ The complete list of certification authorities trusted by Windows can be obtaine
 
 ## Create a test certificate
 
-You can use self-issued certificates for testing purposes. To create a self-issued certificate, use the [New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate) PowerShell command.
+You can use self-issued certificates for testing purposes. To create a self-issued certificate, use the [New-SelfSignedCertificate PowerShell command](/powershell/module/pkiclient/new-selfsignedcertificate.md).
 
 ```ps
 New-SelfSignedCertificate -Subject "CN=NuGet Test Developer, OU=Use for testing purposes ONLY" `
@@ -64,8 +59,55 @@ New-SelfSignedCertificate -Subject "CN=NuGet Test Developer, OU=Use for testing
 
 This command creates a testing certificate available in the current user's personal certificate store. You can open the certificate store by running `certmgr.msc` to see the newly created certificate.
 
+> [!Warning]
+> nuget.org does not accept packages signed with self-issued certificates.
+
 ## Timestamp requirements
 
 Signed packages should include an RFC 3161 timestamp to ensure signature validity beyond the package signing certificate's validity period. The certificate used to sign the timestamp must be valid for the `id-kp-timeStamping` purpose [[RFC 5280 section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12)]. Additionally, the certificate must have an RSA public key length of 2048 bits or higher.
 
 Additional technical details can be found in the [package signature technical specs](https://github.com/NuGet/Home/wiki/Package-Signatures-Technical-Details) (GitHub).
+
+## Signature requirements on nuget.org
+
+nuget.org has additional requirements for accepting a signed package:
+
+- The primary signature must be an author signature.
+- The primary signature must have a single valid timestamp.
+- The X.509 certificates for both the author signature and its timestamp signature:
+  - Must have an RSA public key 2048 bits or greater.
+  - Must be within its validity period per current UTC time at time of package validation on nuget.org.
+  - Must chain to a trusted root authority that is trusted by default on Windows. Packages signed with self-issued certificates are rejected.
+  - Must be valid for its purpose: 
+    - The author signing certificate must be valid for code signing.
+    - The timestamp certificate must be valid for timestamping.
+  - Must not be revoked at signing time. (This may not be knowable at submission time, so nuget.org periodically rechecks revocation status).
+
+## Register certificate on nuget.org
+
+To submit a signed package, you must first register the certificate with nuget.org. You need the certificate as a `.cer` file in a binary DER format. You can export an existing certificate to a binary DER format by using the Certificate Export Wizard.
+
+![Certificate Export Wizard](media/CertificateExportWizard.png)
+
+Advanced users can export the certificate using the [Export-Certificate PowerShell command](/powershell/module/pkiclient/export-certificate.md).
+
+To register the certificate with nuget.org, go to `Certificates` section on `Account settings` page (or the Organization's settings page) and select `Register new certificate`.
+
+![Registered Certificates](media/registered-certs.png)
+
+> [!Tip]
+> One user can submit multiple certificates and the same certificate can be registered by multiple users.
+
+Once a user has a certificate registered, all future package submissions **must** be signed with one of the certificates.
+
+Users can also remove a registered certificate from the account. Once a certificate is removed, packages signed with that certificate fail at submission. Existing packages aren't affected.
+
+## Configure package signing requirements
+
+If you are the sole owner of a package, you are the required signer. That is, you can use any of the registered certificates to sign your packages and submit to nuget.org.
+
+If a package has multiple owners, by default, "Any" owner's certificates can be used to sign the package. As a co-owner of the package, you can override "Any" with yourself or any other co-owner to be the required signer. If you make an owner  who does not have any certificate registered, then unsigned packages will be allowed. 
+
+Similarly, if the default "Any" option is selected for a package where one owner has a certificate registered and another owner does not have any certificate registered, then nuget.org accepts either a signed package with a signature registered by one of its owners or an unsigned package (because one of the owners does not have any certificate registered).
+
+![Configure package signers](media/configure-package-signers.png)

docs/reference/media/CertificateExportWizard.png

@@ -82,7 +82,7 @@ When you directly upload a new package on the [nuget.org Upload](https://www.nug
 
 ### Using API keys
 
-To push a package through the `nuget push` or `dotnet nuget push` CLI commands, you must obtain an API key needed by those commands. For details, see [Publish a package](https://docs.microsoft.com/en-us/nuget/quickstart/create-and-publish-a-package-using-visual-studio#publish-the-package).
+To push a package through the `nuget push` or `dotnet nuget push` CLI commands, you must obtain an API key needed by those commands. For details, see [Publish a package](../quickstart/create-and-publish-a-package-using-visual-studio.md#publish-the-package).
 
 When creating a new API key, select the appropriate organization in the **Package Owner** drop down. Any API key you create is applicable only to the chosen organization: