In @bifravst we do promote using intermediate CA
certificates to allow offline generation of certificates:
https://bifravst.github.io/bifravst/docs/aws/DeviceCredentials.html - the same
way we provision our DKs.

Transmitting certificates over the internet should be avoided and can introduce
issues during manufacturing.
https://twitter.com/SoracomIoT/status/1329865420778524677