Arjun Sivasree Did you get a chance to see Sander's suggestions? In addition, please see below information.
As per my understanding, a full chain certificate requires root CA certificate, any intermediate certificates and a leaf certificate. This full chain certificate is needed to provision with DPS in group enrollment case. Does this mean all these certificates have to present in the gateway when generating the full chain certificate? Is that not a security risk to keep all these certificates in gateway?
Yes, you are correct that a full chain certificate requires the root CA certificate, any intermediate certificates, and a leaf certificate.
The full chain certificate is needed to provision with DPS in group enrollment case. However, it is not necessary to keep all these certificates in the gateway when generating the full chain certificate.
The best practice is to keep the root CA certificate and any intermediate certificates in a secure location, such as a certificate store or a hardware security module (HSM), and only provide the leaf certificate to the gateway. You can generate the full chain certificate by concatenating the leaf certificate with the intermediate certificates and the root CA certificate.
Hardware Security Module (HSM) is used for secure, hardware-based storage of device secrets. An HSM can be used with symmetric key, X.509 certificate, or TPM attestation to provide secure storage for secrets. Hardware-based storage of device secrets isn't required, but it's strongly recommended to help protect sensitive information like your device certificate's private key.
Hope this helps. Do let us know if you need any further help.
If this answers your query, do click Accept Answer and Yes for this answer as helpful. And, if you have any further query do let us know by commenting in the below section, happy to help!