Real question: What is the correct way to handle certs on embedded devices? I never thought about it before I read this comment.
There are many embedded devices for which TLS is simply not feasible. For remote sensing, when you are relying on battery power and need to maximise device battery life, then the power budget is critical. Telemetry is the biggest drain on the power budget, so anything that means spending more time with the RF system powered up should be avoided. TLS falls into this category.
Yes, but the question is about devices that can reasonably run TLS.
The answer is local acme with your router issuing certs for your ULA prefix or “home zone” domain.