We have the following certificate chain:
- RootCA -> IntermProduction -> [leaf certificates]
- RootCA -> IntermTest -> [leaf test certificates]
Does it make a difference if I:
- a) Upload to IoT hub RootCA
- b) Upload to IoT hub both IntermProduction and IntermTest (without RootCA)
Will there be any differences in how leaf device certificates are validated? Our RootCA is self-signed company root.
The background of the question is, that I uploaded our rootCA to IoT hub, following MS samples here. Our security specialist however refused to validate the proof of posession. Reason: Our rootCA is locked and no sub-certs should be issued. He asked me to point to the documentation where it is said, that we MUST use the rootCA. I didn't find such a point.
As I don't know the internals of IoT Hub, I'm a bit at a loss. We are migrating from a self-made service to IoT solution. In our own service I did implement the verification of the certificate chain myself, and I did need the root certificate for this.
Did somebody have a hands-on experience with something similar?
Of course it's an option to just upload two intermidiates and try it out, and I have a gut feeling that this will work, so the question is more like if I'm creating a potential security breach by doing so?
