[rdl]

When you build a public key into firmware which isn't easily updated, you need to put a lot of effort into securing the corresponding private key. The correct way to do this is to have a separate credential for your actual admin users who then use that to authenticate to an HSM or similar system which controls the actual widely-deployed keys. Humans should never be able to access the important private keys directly, and there should be a logging process which shows those keys have never been exported (and have technical and policy controls against being exported) without proper multi-party control (so, you back them up in k of n shares, and distribute those shares across corporate officers in multiple sites in the event you need to replace the HSM).

Shorter lived keys and more frequent updates, provided you also have a secure way of authenticating the updates (hard) is often preferred.