Should I hardcode TLS certificates in arduino [closed]

Question

I could connect my ESP8266 board to my MQTT server over TLS. Everything works fine.

There is only one question (as I'm a beginner with encryption): Should I hard code CA.crt, client.crt and client.key on the board??

As I know, if my certificates expire, I have to purchase another certificate, meaning my boards won't work anymore (I sell them). Can I securely ask server for these files every time?

EDIT:

This question was closed because it was opinion-based. OK, give me an opinion! I have no idea to handle my case. Thanks.

Answer 1

We can't answer this for you, only you know the details how how/where the device will be deployed. This will factor into what is acceptable

What I will say is that it is possible to do Over the Air updates with ESP8266 so you can push code updates that could include updated certificate fingerprints if needed or you can not include an actual CA certificate to verify the broker certificate.

As for client certificates, these don't need to be issued by a public CA so you have full control over their expiry time, so it's perfectly reasonable to set a life longer than the expected life of the device.