In @bifravst we do promote using intermediate CA certificates to allow offline generation of certificates: https://bifravst.github.io/bifravst/docs/aws/DeviceCredentials.html - the same way we provision our DKs.

Transmitting certificates over the internet should be avoided and can introduce issues during manufacturing. https://twitter.com/SoracomIoT/status/1329865420778524677