In addition, using CN instead of Thumbprint means we do not need to perform a cert rollover upgrade at all.
Ask 2: There comes another case where sometimes we want to avoid hard coding certificate secret URL with version in ARM template which is needed when we are deploying SFC first time, after that it’s not needed. However there are some specific scenarios where we need to deploy SFC again and that time the secret URL hard coded in ARM template creates problem and we need to update the ARM template with latest version and deploy. So the ask here is if there any way/feature to support certificate secret URL without version in ARM template, where we don’t need to specify the secret URL with version. For example: can we just use the certificate secret URL like this: 'https://myvault.vault.azure.net/secrets/mycertificate' i.e. no dependency on certificate version.
Response: The answer to above question is unfortunately no, since this is a specific requirement of the VMSS itself . The certificate secret URL is parameterized, so in our deployment pipeline we should possibly query the keyvault and get the latest version and use that value.