What about when on-device certs expire?  Seems like you need to support a way to "phone home" for cert updates.

Or let the customer generate certs.  Either kick off a new cert generation with the help of the box.  Or let the customer download his own cert (self-signed or otherwise).  Ensuring security of whatever the process is will be a part of this answer, but it's separable from the actual details of cert generation / updates.

Maybe I'm missing something and need a "big picture" summary.