To me it is a chicken and egg thing. I want an architecture that will always have the device renewing keys on updates or periodically. Initially, I can have manufacturer setup the CA on the device. But that can't be a long term thing like 30 years as it is not advised. So let's say it is a 1 year CA.
I am not to pass any private keys over how do I create a CSR to obtain a new cert if my cert is perhaps expired? How could I ever get a new cert unless that would mean I would have to firmware update the device and reset it to a firmware with the new CA. Such as an OTA update.
If it is not expired I guess I could periodically "update" the device so there isn't a factory reset but a simple update which would do things like reset the CA or even request a new CA on the device so as to be able to renew the client (device) key.
Am I thinking of this correctly?
