This work addresses the fragmentation of cross-vendor device authentication and the latency and availability bottlenecks introduced by cloud-mediated communication in existing IoT architectures. The authors propose a lightweight, Web Public Key Infrastructure (Web PKI)-based approach that seamlessly integrates the ACME protocol with the X.509 certificate ecosystem for the first time in IoT contexts. By leveraging vendor-operated ACME clients and controlled DNS namespaces, devices automatically obtain certificates enabling direct mutual TLS (mTLS) authentication across administrative domains, thereby decoupling runtime authentication from cloud dependencies. The solution requires no hardware modifications, is compatible with mainstream vendor infrastructures, and achieves certificate issuance in under six seconds on ESP32 and Raspberry Pi platforms, with mTLS adding only approximately 17 ms of latency—significantly outperforming cloud-mediated alternatives and demonstrating low, stable end-to-end latency in smart home and urban scenarios.

Cloud-mediated IoT architectures fragment authentication across vendor silos and create latency and availability bottlenecks for cross-vendor device-to-device (D2D) interactions. We present Atlas, a framework that extends the Web public-key infrastructure to IoT by issuing X.509 certificates to devices via vendor-operated ACME clients and vendor-controlled DNS namespaces. Devices obtain globally verifiable identities without hardware changes and establish mutual TLS channels directly across administrative domains, decoupling runtime authentication from cloud reachability. We prototype Atlas on ESP32 and Raspberry Pi, integrate it with an MQTT-based IoT stack and an Atlas-aware cloud, and evaluate it in smart-home and smart-city workloads. Certificate provisioning completes in under 6s per device, mTLS adds only about 17ms of latency and modest CPU overhead, and Atlas-based applications sustain low, predictable latency compared to cloud-mediated baselines. Because many major vendors already rely on ACME-compatible CAs for their web services, Atlas is immediately deployable with minimal infrastructure changes.