> This also leaves you with the challange to safely get the certificate to your users.
Because the hardware vendor does not own nor configure the private network, they are not able to certify to the network’s users that a particular network node is the device it’s supposed to be, and not an impersonator. Only the network administrators can do that, and so it is the network administrators that must generate the certificate and install it on the device. In this way the admins bestow a programatic declaration of trust on the network node.
The device manufacturers can only provide tools for showing that the device was not tampered with. TLS/SSL certificates are not for that purpose.
Because the hardware vendor does not own nor configure the private network, they are not able to certify to the network’s users that a particular network node is the device it’s supposed to be, and not an impersonator. Only the network administrators can do that, and so it is the network administrators that must generate the certificate and install it on the device. In this way the admins bestow a programatic declaration of trust on the network node.
The device manufacturers can only provide tools for showing that the device was not tampered with. TLS/SSL certificates are not for that purpose.