As I see it, this list is about mqtt protocol issues.
You are asking about TLS, in the context of:
- unnamed client and broker implemenations
- using an unnamed TLS implementation
- configured on an unnnamed operating system/packaging system
- in an unknown environment, with unknown security concerns and requirements
Most seriously, asking people to tell you if some practice is "ok" does
not make sense.
I will comment that my perception is that many people overvalue the
security benefits from the practice of configuring 100 public CAs as
trust anchors, and at the same time I believe that running a private CA
well is difficult. Unfortunately thinking about the overall risks from
various approaches is quite complicated.
One approach would be to find a consultant who can understand your
situation and help you. Another would be to learn enough to do this
yourself. If going down the second path:
-
https://letsencrypt.org/docs/faq/
-
https://community.letsencrypt.org/t/certificates-101/198242/171
-
https://www.rfc-editor.org/rfc/rfc5280
-
https://datatracker.ietf.org/wg/pkix/documents/
-
https://csrc.nist.gov/pubs/sp/800/171/r3/final
(required for certain US government contracts -- perhaps you are at
Georgia Tech? -- and helpful for thinking about overall risk)