mrudula y Greetings!
Why do we need "Baltmore" certificate for provioning if Hub has already migrated ?
It's important to have all three certificates on your devices until the IoT Hub and DPS migrations are complete. Keeping the Baltimore CyberTrust Root ensures that your devices will stay connected until the migration, and adding the DigiCert Global Root G2 ensures that your devices will seamlessly switch over and reconnect after the migration. The Microsoft RSA Root Certificate Authority 2017 helps prevent future disruptions in case the DigiCert Global Root G2 is retired unexpectedly.
Does the SDK has anything to do with the fact that DPS is not working if Baltimore is not added in ms.pem file? Is Baltimore hardcoded anywhere in the SDK to cause this issue or is the DPS itself requiring Baltmore certificate for verification?
This is because DPS uses the Baltimore CyberTrust Root certificate to verify the identity of the IoT hub during the registration process. The Azure IoT SDKs in C language rely on the underlying operating system's certificate store to retrieve trusted roots for server authentication during the TLS handshake. Therefore, it is possible that the SDK is requiring the Baltimore CyberTrust Root certificate for verification
When can I remove the Baltimore Cybertrust Root from my devices?
You can remove the Baltimore root certificate once all stages of the migration are complete. If you only use IoT Hub, then you can remove the old root certificate after the IoT Hub migration is scheduled to complete on October 15, 2023. If you use Device Provisioning Service or IoT Central, then you need to keep both root certificates on your device until the DPS migration is scheduled to complete on February 15, 2024.
Please see Migrate IoT Hub resources to a new TLS certificate root for more details.
Let us know if you have any further queries.