I created a brand new free tier test hub to make sure our devices can connect before and after cert migration.
I clicked on "Migrate to DigiCert Global G2" and after some time azure said the operation had completed.
I verified with
az iot hub certificate root-authority show --hub-name mytesthub
Yet my test devices could still connect with only Baltimore cert on old code without DigiCert so I ran
openssl s_client -connect mytesthub.azure-devices.net:8883
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
depth=1 C = US, O = Microsoft Corporation, CN = MSFT BALT RS256 CA
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.azure-devices.net
Does this not show that the test hub is still using Baltimore?
I reverted the test hub back to Baltimore and then Migrated again to DigiCert yet still the problem persists.
Can I restart the hub to make it start using the new cert?
Or does it take a few hours for the cert to change?