Could you explain this further? How would ensure that when you connect to https://trainsignapi.com that it validates the response is coming from the expected server? Would you hardcode a certificate on the device? What if you needed to upgrade the certificate? I don't quite understand how AWS IoT fits into it either.
If you're doing it "properly", you should have your own CA, not using public CAs, because public CAs will give certificates to anyone who controls servers on your domain or controls the domain; not just you. All it takes is someone to buy your expired domain, and they can get a new, publicly valid cert.
If you needed to update the CA, you'd need a firmware upgrade, served with a certificate signed by something chained to the old CA. And then, more likely than not, you'd want to do further updates on a new hostname, because it's hard to do a single hostname and send the right certs to the right clients.
This is a giant pain, and I don't blame people for using public CA infrastructure instead. Especially if your company goes bust, who cares?
