For private keys can either use one's own cert authority for long running certs (using the same certificate authority as CK,etc?). Otherwise, need to consider something like dns alias support to a subdomain managed by a DNS server that one can run certbot into w/ API.
Need well worn path for people to deploy this across their devices using either approach
Another approach is considering enhancements to NetDB to support creation of certs automatically when CSRs are generated and placed in NetDB. Need mechanism to share the public certs generated from such on regular periodicity. Perhaps using LEGO client (https://go-acme.github.io/lego/)
Alternative approach is wildcard cert on the F5 for load balancing and then use long term self-signed (or CA signed) certificates internal behind the F5. Possibly also just http or such behind that.
General solution is either solve acme/letsencrypt on all devices or find a CA cert to address most devices and either distribute that (to browsers/commands) or isolate away w/ F5 and wild card cert it.
https://caddyserver.com/docs/automatic-https for reference on automatic cert web server
Likely run a central CA service where CSRs are submitted and long term CERTs are generated.
