I have found it relatively easy to just run a local CA for my isolated network. I didn't find it too difficult to setup. I run around 600 servers and about 20x that in IOT devices.
And how did you provision any of this? Did you take each device, connect to it while on that same network in a completely unauthenticated manner, and provision certificates? Can you send links to webpages on these devices to ordinary browsers that aren’t provisioned with the certificates? Would someone who doesn’t fully trust you and your infrastructure be willing to install your certificate?
