Https for embedded devices, local addresses
If the customer insists on local IP connectivity you don't even need to leverage a worldwide Public Key Infrastructure by reaching out to "known" Certificate Authorities.
Just set up your own local PKI with its own local CA and distribute your CA's certificate to all the clients. Then use that CA to issue certificates to the devices and they'll be trusted by the clients.