I am reading up and experimenting with DPS, IoT hub and x509 authentication, but some things are not entirely clear for me. Assuming a setup with x509 and group enrollment through intermediate certificates:
When a device connects to DPS, will it be registered to a hub if the intermediate certificate is removed, but the root certificate is still present and valid?
When a device connects to DPS, will it be registered to a hub if the intermediate certificate has expired but the root certificate is still valid?
When a device connects to DPS, will it be registered to a hub if the intermediate certificate is valid but the root certificate has expired?
To disallow DPS access in a group certificate setup, one would create an individual device registration using the device certificate and then disable that device. However, in such a setup the device certificate might not be available as that is generated with the intermediate certificate. How does one create this individual device registration in this case?
Is the device certificate actually used as TLS client authentication or is device authentication something built on top of of TLS?
What are the recommended validity periods of CA, intermediate/group and device certificates in DPS/IoT hub?
What is the recommended strategy regarding device certificates if devices could be offline for longer (5 years and more perhaps) periods of time in which there might be no way of updating (client) certificates?