[Snakes3727]

As someone who works at a company who has to manage millions of SSL certificates for IoT devices in extremely terrible network situations I dread this.

One of the biggest issues is handling renewals at scale, and I hate it. Another increasingly frusturation is challenges via DNS are not quick.

[nine_k]

Are these IoT devices expected to be accessible via a regular Web browser from the public Internet? Does each of them represent a separate domain than needs a separate certificate, which it must not share with other similar devices?

[nickf]

I would strongly suggest that these certs have no reason to be from a public CA and thus you can (and should) move them to a private CA where these rules don't apply.

[cpach]

For those who want to solve the problem buy throwing money at it, one can probably buy a solution for this. I’m thinking of stuff like AWS IoT Core, I would guess there are other vendors in that space too.