You can use a public CA like LetsEncrypt then. Exposes you to the certificate log but you should be secured already anyways. Just have to use the DNS challenge (unless you wanna poke a hole for certbot) to grab it
And people wonder why ioshit devices are all so cloud dependent. I just want my microwave to talk to my refrigerator (or whatever). But they have to use https, because. And the cert has to expire every 90 days, because. So now I provision a kitchen full of stuff with AWS creds so they can respond to DNS challenges to get those certs.
So much simpler for everything to revert to client only mode and route all messages through a server 3000 miles away. Until they pull the plug and nothing works at all.
This is why I hate privacy first thinking. The IoT is a big deal. I own basically nothing that has electricity that wouldn't be slightly to majorly improved, at low cost, by IoT.
So... lets... make the tech that powers it not suck, so we can stop with all this analog business.
Why would you ever want your microwave to talk to your fridge? Imo the real reason IOT is such a shit show is because it's being crammed into every device without any actual benefit to the end user.
DNS challenge is easy to pass and automate if you can programmatically add txt records to your DNS zone. Every major cloud provider supports this with command line tools, so it's a matter of moving the DNS zone there and writing a shell script and a cron item in the worst case.
I had a chance to skim through the link you posted - they are doing the http challenge verification (in step 6) for some reason which involves forwarding their domain into their internal network.
The DNS methods we already mentioned does not involve any of that - just a simple zone file change or a few clicks in a web UI to add a new record.
So much simpler for everything to revert to client only mode and route all messages through a server 3000 miles away. Until they pull the plug and nothing works at all.