You are building an IoT solution consisting of smart end-devices. After the successful pilot period, 
You want to extend the number of devices to 100 and put them in production. For maximum security, your devices authenticate using X.509 certificates. 
When using X.509 certificates, which two of the following statements are false?

Answer options:

A.End devices must possess the chain of certificates and their unique device certificate
B.The Public key of the device certificates should be kept in HSM
C.X.509 CA certificate must be uploaded to the IoT Hub
D.You should purchase trusted X.509 certificates for your scenario
E.Unique device certificates must be uploaded to the IoT Hub

Correct Answer: B and E
Option A is incorrect because actually, the devices must be signed with the chain of certificates as well as their unique device (leaf) certificate. They can prove the possession of the certificate by their secret private key.
Option B is CORRECT because Hardware Secure Module in a device is intended to generate the private key for the device and to keep it secret. The Public key is visible to the outside world.
Option C is incorrect because the trusted (purchased) X.509 must be uploaded and registered on the IoT Hub so that it can be used to verify the devices during their connection.
Option D is incorrect because, for maximum security in production environments, users should purchase trusted CA certificates from a root CA. For experimentation, self-signed certificates can also be suitable.
Option E is CORRECT because one of the advantages of using the X.509 certificate-based authentication is its 1-to-many hierarchy. In this case, it means that only the top-level certificate must be present on the IoT Hub while any number of end devices can authenticate through the trusted chain of certificates.
Diagram: 

References: 

https://docs.microsoft.com/en-us/azure/iot-fundamentals/security-recommendations?context=/azure/iot-hub/rc/rc
https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-overview
https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started#register-x509-ca-certificates-to-your-iot-hub
https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md